amadey | c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe
Size

1.8MB
MD5

0723f9a966b2b172a054f8b8c5635cfb
SHA1

1cdf9fd19fd91d1f25eb91bab190a35a22337163
SHA256

c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec
SHA512

3cdef4d4d1f7e6f69d629d926117ae34cef5ee59e9a524e37c7ea2eb877f2be133100c021189cc956bdc2b5c45b498f9118c36fc66347f3df7fe2a51e708deee
SSDEEP

49152:PMWKPhn7oQT89EhEceDepxJXt6KYyUZBzTyYn/l0sZxcIJMOc:PJKTT4DctaJNZBzGuqsZdJ

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6df3a4fb52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	407da7b0ab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6df3a4fb52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	407da7b0ab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	407da7b0ab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6df3a4fb52.exe

Executes dropped EXE 5 IoCs

pid	Process
956	explortu.exe
4992	6df3a4fb52.exe
4572	407da7b0ab.exe
4956	explortu.exe
3952	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	407da7b0ab.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	6df3a4fb52.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Run\6df3a4fb52.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\6df3a4fb52.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4572-116-0x0000000000C10000-0x0000000001169000-memory.dmp	autoit_exe
behavioral2/memory/4572-144-0x0000000000C10000-0x0000000001169000-memory.dmp	autoit_exe
behavioral2/memory/4572-152-0x0000000000C10000-0x0000000001169000-memory.dmp	autoit_exe
behavioral2/memory/4572-153-0x0000000000C10000-0x0000000001169000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1964	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe
956	explortu.exe
4992	6df3a4fb52.exe
4572	407da7b0ab.exe
4956	explortu.exe
3952	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637346168242725"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1964	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe
1964	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe
956	explortu.exe
956	explortu.exe
4992	6df3a4fb52.exe
4992	6df3a4fb52.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
2644	chrome.exe
2644	chrome.exe
4956	explortu.exe
4956	explortu.exe
3952	explortu.exe
3952	explortu.exe
1636	chrome.exe
1636	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1964	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
2644	chrome.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe
4572	407da7b0ab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 956	1964	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe	77
PID 1964 wrote to memory of 956	1964	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe	77
PID 1964 wrote to memory of 956	1964	c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe	77
PID 956 wrote to memory of 1928	956	explortu.exe	78
PID 956 wrote to memory of 1928	956	explortu.exe	78
PID 956 wrote to memory of 1928	956	explortu.exe	78
PID 956 wrote to memory of 4992	956	explortu.exe	79
PID 956 wrote to memory of 4992	956	explortu.exe	79
PID 956 wrote to memory of 4992	956	explortu.exe	79
PID 956 wrote to memory of 4572	956	explortu.exe	80
PID 956 wrote to memory of 4572	956	explortu.exe	80
PID 956 wrote to memory of 4572	956	explortu.exe	80
PID 4572 wrote to memory of 2644	4572	407da7b0ab.exe	81
PID 4572 wrote to memory of 2644	4572	407da7b0ab.exe	81
PID 2644 wrote to memory of 1548	2644	chrome.exe	84
PID 2644 wrote to memory of 1548	2644	chrome.exe	84
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 404	2644	chrome.exe	85
PID 2644 wrote to memory of 3272	2644	chrome.exe	86
PID 2644 wrote to memory of 3272	2644	chrome.exe	86
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87
PID 2644 wrote to memory of 1416	2644	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe
"C:\Users\Admin\AppData\Local\Temp\c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\1000016001\6df3a4fb52.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\6df3a4fb52.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4992
- - C:\Users\Admin\AppData\Local\Temp\1000017001\407da7b0ab.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\407da7b0ab.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa9357ab58,0x7ffa9357ab68,0x7ffa9357ab78
        5⤵
        
        PID:1548
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1968,i,2508741274572456283,6475700215271377055,131072 /prefetch:2
        5⤵
        
        PID:404
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1968,i,2508741274572456283,6475700215271377055,131072 /prefetch:8
        5⤵
        
        PID:3272
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2008 --field-trial-handle=1968,i,2508741274572456283,6475700215271377055,131072 /prefetch:8
        5⤵
        
        PID:1416
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1968,i,2508741274572456283,6475700215271377055,131072 /prefetch:1
        5⤵
        
        PID:2628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1968,i,2508741274572456283,6475700215271377055,131072 /prefetch:1
        5⤵
        
        PID:4624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1968,i,2508741274572456283,6475700215271377055,131072 /prefetch:1
        5⤵
        
        PID:2348
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1968,i,2508741274572456283,6475700215271377055,131072 /prefetch:8
        5⤵
        
        PID:4960
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1968,i,2508741274572456283,6475700215271377055,131072 /prefetch:8
        5⤵
        
        PID:3496
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1968,i,2508741274572456283,6475700215271377055,131072 /prefetch:8
        5⤵
        
        PID:3892
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2340 --field-trial-handle=1968,i,2508741274572456283,6475700215271377055,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:132

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
bc8dcb2f03c405218756a577ce6fa364

SHA1
3a1c7386bbd72975a49f862506c7e86f473c7e35

SHA256
4a59409b48231580af7b6379f5788545197fd4472cbce99a4301a2c99c6ef815

SHA512
9265bc8925467c60a64bd2dc128c258ebbfa5c41fe7db19f7beaf619e09185f7cd28f8236b9eec245d2acbf128c7e9b93b86aa4bca853b15a3bc0783cfe5b82f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
6fcec44bf204531c4837bd9180dba87b

SHA1
707866b2603a237439b98fb3bb64a024ed686393

SHA256
a3aa0875855d7d291189a7505396495f0cfd6885cd699adcaa8e88d2b840068e

SHA512
8878965d09248e09741552a1f147beb0e793dfcb7ac1a8c29dc8597a67751943979bc57a623c58a574bebe7e2d696a7956cfa5f0e4e887467af3d4d8ab003828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c49b0d495c26d319c3e1bbb28908ee10

SHA1
b39f617e7906510a70dc86dee711eb2b69c25e9e

SHA256
923cd4e633bd3a3bbd510d5ab9b7febd7a0088510e4287f2f850db002a69e357

SHA512
d05bdc1b263c19b4965577d169d40825f0351aa6f9c2adbb8fe5beb4e9e42a1f6d0765d182a49d48892da0609344f5e104789ebf9af822a0032755a8f0d19000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
ad86da6b22cbfd7c6c02cc3d0af7f4d5

SHA1
c6e6ddf39fca0701be73582204b4a31737a31606

SHA256
8cfb780f7c063d079a4366e7e50dd94069d4127b613961df7f21eaaf20582fb7

SHA512
469280aff124b18e254e4e07c697ccbbd191e52c2921b85e26ec08e0a0524b2a513d70734f5582e2fadb694353559e852064025bdb8243c0146610b94022d144

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f85051549c5f368fa8c7aee0b4322c69

SHA1
602719a78851ea51dabc17b1167998ed86625385

SHA256
5327c8c3c6bb6b39643deb518d875499061fe2094cc6e1388199d1364c31da56

SHA512
ac2d11684091ac3c24c7241e938af6d16e52259450de70328fa2164e7cb29b58acab121da31fd0cea9a437e916c617b7eff9f99b26800dc4e60ca25acb77ea4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
0b42b9714a586af718a7761b509f90a4

SHA1
eadaeffe4cc62fbfc807c1509404080597f4bfff

SHA256
10c61b40522f33dd0c2a292a82713412a5a7dd3483c0c349a0bd45243d748d67

SHA512
0e220c2c8d4487fdec31d65bca5e47aa53015c47448737e18da59c3279abe213320b95d26fea2782c4963c2ef59aa526e579ed66347657dc18852b943bae4d48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
e2598c77b7cf9e3d68badad3f1988730

SHA1
a97334ca086a6117f2f07f6ff06a846ae060d6f3

SHA256
087536c6edc36de97e4dd3ffe6e48f90abe66b5181591d0ae5c076f865af7e8e

SHA512
39dd5326f38ce39ab74ffa3c4322a7f6524a9ce84a16a4cd6ffc51588eeed5b7a4755722eb3edd558864b50ec496685a78121cbf8ec29f3b9419267317ca6288

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\6df3a4fb52.exe

Filesize
2.3MB

MD5
916f274a09154f28a71cc22479765d26

SHA1
9021242aedd023e46a43b51f51b6cab10e426c2a

SHA256
cd4054c0a2f7f50aa2c781d5ba874942c61d1bb5e9fe6fd13f2121e1a6819d8b

SHA512
87791645ab0556dff6b11df1317369e8b86765e514c23c78cddc63803dd0222a1164e8d7ae286a6a27249b8a2662ae8709cf43322afbbfd6a8eb62257188f165

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\407da7b0ab.exe

Filesize
2.3MB

MD5
6caa25ad9e75747f04c2b84d8e641fb4

SHA1
d5aa397b4f8556c95d8661785290277c6b9cd1b9

SHA256
b55f7a7fada0b3eee084d11760d59db571c59b6664a5fa24aa1d2b902df6f157

SHA512
b6ed2a02d5bd918cbbd037b7b035354f50782e59dba9213bf2f3e48675111f8c334ae77d0448adcc4fc458a5827e7c365937103d046fb17175489fca03e70963

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
0723f9a966b2b172a054f8b8c5635cfb

SHA1
1cdf9fd19fd91d1f25eb91bab190a35a22337163

SHA256
c3a9f99d9e7253a8d6c75a20c2ab55ecf5e889d0da1bd02c030307da80aeeaec

SHA512
3cdef4d4d1f7e6f69d629d926117ae34cef5ee59e9a524e37c7ea2eb877f2be133100c021189cc956bdc2b5c45b498f9118c36fc66347f3df7fe2a51e708deee

Download Submit
memory/956-145-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-166-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-219-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-21-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-208-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-19-0x0000000000851000-0x000000000087F000-memory.dmp

Filesize
184KB

Download
memory/956-94-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-201-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-115-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-196-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-20-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-16-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-194-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-132-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-133-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-192-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-190-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-174-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-171-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/956-155-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/1964-18-0x0000000000FB0000-0x000000000146B000-memory.dmp

Filesize
4.7MB

Download
memory/1964-1-0x0000000076FB6000-0x0000000076FB8000-memory.dmp

Filesize
8KB

Download
memory/1964-3-0x0000000000FB0000-0x000000000146B000-memory.dmp

Filesize
4.7MB

Download
memory/1964-2-0x0000000000FB1000-0x0000000000FDF000-memory.dmp

Filesize
184KB

Download
memory/1964-0-0x0000000000FB0000-0x000000000146B000-memory.dmp

Filesize
4.7MB

Download
memory/1964-5-0x0000000000FB0000-0x000000000146B000-memory.dmp

Filesize
4.7MB

Download
memory/3952-200-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/3952-199-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/4572-152-0x0000000000C10000-0x0000000001169000-memory.dmp

Filesize
5.3MB

Download
memory/4572-153-0x0000000000C10000-0x0000000001169000-memory.dmp

Filesize
5.3MB

Download
memory/4572-61-0x0000000000C10000-0x0000000001169000-memory.dmp

Filesize
5.3MB

Download
memory/4572-116-0x0000000000C10000-0x0000000001169000-memory.dmp

Filesize
5.3MB

Download
memory/4572-144-0x0000000000C10000-0x0000000001169000-memory.dmp

Filesize
5.3MB

Download
memory/4956-169-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/4956-170-0x0000000000850000-0x0000000000D0B000-memory.dmp

Filesize
4.7MB

Download
memory/4992-197-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-143-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-42-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-193-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-156-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-195-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-167-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-114-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-172-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-191-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-175-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-202-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-146-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-209-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-154-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-43-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download
memory/4992-220-0x0000000000650000-0x0000000000C2C000-memory.dmp

Filesize
5.9MB

Download