amadey | 4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe
Size

1.8MB
MD5

2f2bfd0f3fe0a2c5cc911e8d82b10581
SHA1

414dddc6938b5ffb6724fb940e4e6dbdb28e2235
SHA256

4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4
SHA512

64df3eced6dc8751f232b5df2e7cf5ce4e0ef12608f9aeca72223df469f612dcc270b6d20db2b0e6787f129e421717e013b934dd1672c2df508b50e432bb8b8a
SSDEEP

24576:CqbDisemYQkGRELN9Qoz1NcdXJEmXm4/kHVZcbHY6ACdOuJ37ek8G8NP6yf+vdrq:CcBKR9Qoz1N8mZmHQCYGX8hB+dq

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3503ced013.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5543dff5e7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3503ced013.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3503ced013.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5543dff5e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5543dff5e7.exe

Executes dropped EXE 6 IoCs

pid	Process
3308	explortu.exe
2208	3503ced013.exe
2296	5543dff5e7.exe
4796	explortu.exe
2560	explortu.exe
1504	explortu.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	3503ced013.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	5543dff5e7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\3503ced013.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\3503ced013.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2296-119-0x00000000004B0000-0x0000000000A1E000-memory.dmp	autoit_exe
behavioral2/memory/2296-147-0x00000000004B0000-0x0000000000A1E000-memory.dmp	autoit_exe
behavioral2/memory/2296-155-0x00000000004B0000-0x0000000000A1E000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4388	4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe
3308	explortu.exe
2208	3503ced013.exe
2296	5543dff5e7.exe
4796	explortu.exe
2560	explortu.exe
1504	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637200175743173"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4388	4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe
4388	4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe
3308	explortu.exe
3308	explortu.exe
2208	3503ced013.exe
2208	3503ced013.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2500	chrome.exe
2500	chrome.exe
4796	explortu.exe
4796	explortu.exe
2560	explortu.exe
2560	explortu.exe
644	chrome.exe
644	chrome.exe
1504	explortu.exe
1504	explortu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2296	5543dff5e7.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2296	5543dff5e7.exe
2500	chrome.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2296	5543dff5e7.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe
2296	5543dff5e7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3308	4388	4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe	80
PID 4388 wrote to memory of 3308	4388	4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe	80
PID 4388 wrote to memory of 3308	4388	4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe	80
PID 3308 wrote to memory of 5004	3308	explortu.exe	81
PID 3308 wrote to memory of 5004	3308	explortu.exe	81
PID 3308 wrote to memory of 5004	3308	explortu.exe	81
PID 3308 wrote to memory of 2208	3308	explortu.exe	82
PID 3308 wrote to memory of 2208	3308	explortu.exe	82
PID 3308 wrote to memory of 2208	3308	explortu.exe	82
PID 3308 wrote to memory of 2296	3308	explortu.exe	83
PID 3308 wrote to memory of 2296	3308	explortu.exe	83
PID 3308 wrote to memory of 2296	3308	explortu.exe	83
PID 2296 wrote to memory of 2500	2296	5543dff5e7.exe	84
PID 2296 wrote to memory of 2500	2296	5543dff5e7.exe	84
PID 2500 wrote to memory of 3792	2500	chrome.exe	87
PID 2500 wrote to memory of 3792	2500	chrome.exe	87
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 560	2500	chrome.exe	88
PID 2500 wrote to memory of 1340	2500	chrome.exe	89
PID 2500 wrote to memory of 1340	2500	chrome.exe	89
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90
PID 2500 wrote to memory of 4828	2500	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe
"C:\Users\Admin\AppData\Local\Temp\4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:5004
- - C:\Users\Admin\AppData\Local\Temp\1000016001\3503ced013.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\3503ced013.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2208
- - C:\Users\Admin\AppData\Local\Temp\1000017001\5543dff5e7.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\5543dff5e7.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda188ab58,0x7ffda188ab68,0x7ffda188ab78
        5⤵
        
        PID:3792
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1496 --field-trial-handle=1776,i,12338900938159258678,14088996739220831249,131072 /prefetch:2
        5⤵
        
        PID:560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1776,i,12338900938159258678,14088996739220831249,131072 /prefetch:8
        5⤵
        
        PID:1340
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2140 --field-trial-handle=1776,i,12338900938159258678,14088996739220831249,131072 /prefetch:8
        5⤵
        
        PID:4828
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1776,i,12338900938159258678,14088996739220831249,131072 /prefetch:1
        5⤵
        
        PID:1116
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1776,i,12338900938159258678,14088996739220831249,131072 /prefetch:1
        5⤵
        
        PID:1292
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4196 --field-trial-handle=1776,i,12338900938159258678,14088996739220831249,131072 /prefetch:1
        5⤵
        
        PID:4756
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1776,i,12338900938159258678,14088996739220831249,131072 /prefetch:8
        5⤵
        
        PID:3092
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1776,i,12338900938159258678,14088996739220831249,131072 /prefetch:8
        5⤵
        
        PID:4108
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1776,i,12338900938159258678,14088996739220831249,131072 /prefetch:8
        5⤵
        
        PID:2964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1464 --field-trial-handle=1776,i,12338900938159258678,14088996739220831249,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2560

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6e3d8697cf7344446fcdf88409b5f1f8

SHA1
10805e29bd0f8a90c0c11f3ece18b103a3e09a46

SHA256
4570dffed9dc4a4afc4f6083a96165c7a94bb4dd9600660cd2058366d824b48a

SHA512
46003467d367d97fd0c40723880eb2c2b663bec7153ae1a67649e557f12a9370954b625d086d92dc1f2c56de8aadbf270602f07153dcfa2fdaff55d01a94a41f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
248e2f0c6327af2d45a33729834a8c2d

SHA1
fab005ccbe7c29de36fa934935c519ea8e57452d

SHA256
8ba59d0e8367d173d670105286c33b64f8f7ef1106da931179de75bd7f9b096a

SHA512
3a4f782986c22b422c08487f21c92d7aaf9efa850595966fed786056ffc670cadff732969062ac1de8a418ba595715ae626c55a78d0b2ac52a0f564e1a16a6fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3419a354930564fdcb7f8d6f7ac43d20

SHA1
d98295f1d9038aeb1f78c4beee79b89a7d9d7640

SHA256
fd46ef9a536309969c4632626dadaac0a03c1768e7d2a6abf9f5cd51ae02f981

SHA512
6d9295c388ef50ad97d064dc3bb9366abcdcc51f9f4c71f70485ecccaf1045d9c52ceaa8abbf4809e90a6f295c02afe92493ae84c675c2cea50d41e9a4b92383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
e69e74787f446a08214b7d341d0a5512

SHA1
0df2be61fb2d265df0716f6c483f4da48bf47bce

SHA256
0564a4813c00890f1f2e3a7936dfc7cb99ef249fba6c62b03ff9b455a64f0907

SHA512
42634db234622de770030f3ad521cafa334f48d3b234da7b1c33465bfd9d5db9f0ecac6addb505851718cb099f2d27a6b2da6fbaa4828b4654280d364b44ef8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c6b0b16d49ec2a50eed1175ae7733375

SHA1
027a1325bf317d8bcb86ea35d22b83780bb07091

SHA256
a1c181b838101f14a7d566c9333adafc07c4c5f9222add4d13a7b268967d59d8

SHA512
0eaa4b2789eae2af3051ab81014d92b870de182f28f099dfadf07178532b0c5cb585bb835b2bf9efb933963a492d1fa6701409ba92e30bc196096cc12135db8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a39e48ac3a994166602978fc5c62a252

SHA1
9b6ac09b3542e3e14ec0afdd2be11d4587e4d2bf

SHA256
f6f0ff1e5543155d281cd8b9f51ef4fcb508a6b225fbb60d6a66c1fe61db3859

SHA512
50ba78846d708002ed9658803983add762f016c2e18634cb817bff44de13b96805fe8d45c7080027869cb20c7ea1db450e14ad8e51dc24c2c44c9359bff96a28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c7d1f2f2-6930-4d31-87b8-69155a07d255.tmp

Filesize
280KB

MD5
1fffbcd8fe5420d46d3ce26f2a60b199

SHA1
326891fcc31de28bad53dee153f610cc0026c496

SHA256
87549896c7dac28261ecd1bbdf982bf28772cb54759186dea42dcf4f830649e0

SHA512
0cf3fe3d34a9c96ca091943a3339ab3b96b8847fef6782f5c5ad2f76f02957f889602b4ebe48973523b608ab26632bd0d6902724586cbe73e385469712ab800c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\3503ced013.exe

Filesize
2.3MB

MD5
9e88c3b9177bfb5f3272348c559ab0a5

SHA1
3bf98278fefbfbdb78578122fb47cda84864313a

SHA256
4e18d688a5a00e517fe82e040a0d3e2607a2f51e8d2af25b46eed1a4f37137cb

SHA512
c61ea9447b76bafb91497655d397c68da72ce47486fc2ed8431e985fb72d59983e3366dd528cb716abe6d56a2df8f52418f84909604812fb1c5a9a25b2cb85c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\5543dff5e7.exe

Filesize
2.3MB

MD5
4973cfb4964ce6e263ca0479f8a7f67e

SHA1
8248bf51e43f9e7abd49620a33d178bcabf47608

SHA256
0501ac876d99e76b23b20a227d8a8c7f986ec882e46cc52a81f9ca20dab755f0

SHA512
a7bba2652a71795b9d48424760b9210f3c60fd3913702268a6b2ef1c48f3256033887ffb81b9b3b8f6ec6c38df29e1c3ebcc56180af24585671dc916f7861819

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
2f2bfd0f3fe0a2c5cc911e8d82b10581

SHA1
414dddc6938b5ffb6724fb940e4e6dbdb28e2235

SHA256
4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4

SHA512
64df3eced6dc8751f232b5df2e7cf5ce4e0ef12608f9aeca72223df469f612dcc270b6d20db2b0e6787f129e421717e013b934dd1672c2df508b50e432bb8b8a

Download Submit
memory/1504-211-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/1504-213-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/2208-194-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-146-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-42-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-224-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-113-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-209-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-202-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-200-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-198-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-156-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-196-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-169-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-171-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-158-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-174-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2208-145-0x0000000000630000-0x0000000000C23000-memory.dmp

Filesize
5.9MB

Download
memory/2296-60-0x00000000004B0000-0x0000000000A1E000-memory.dmp

Filesize
5.4MB

Download
memory/2296-147-0x00000000004B0000-0x0000000000A1E000-memory.dmp

Filesize
5.4MB

Download
memory/2296-155-0x00000000004B0000-0x0000000000A1E000-memory.dmp

Filesize
5.4MB

Download
memory/2296-119-0x00000000004B0000-0x0000000000A1E000-memory.dmp

Filesize
5.4MB

Download
memory/2560-176-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/2560-178-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-137-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-195-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-168-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-107-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-170-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-148-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-173-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-18-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-19-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-20-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-188-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-214-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-114-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-157-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-21-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-197-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-208-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-199-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-116-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/3308-201-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/4388-0-0x00000000006C0000-0x0000000000B7B000-memory.dmp

Filesize
4.7MB

Download
memory/4388-3-0x00000000006C0000-0x0000000000B7B000-memory.dmp

Filesize
4.7MB

Download
memory/4388-2-0x00000000006C1000-0x00000000006EF000-memory.dmp

Filesize
184KB

Download
memory/4388-5-0x00000000006C0000-0x0000000000B7B000-memory.dmp

Filesize
4.7MB

Download
memory/4388-1-0x0000000077606000-0x0000000077608000-memory.dmp

Filesize
8KB

Download
memory/4388-17-0x00000000006C0000-0x0000000000B7B000-memory.dmp

Filesize
4.7MB

Download
memory/4796-117-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download
memory/4796-118-0x00000000005B0000-0x0000000000A6B000-memory.dmp

Filesize
4.7MB

Download