amadey | 5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af

Analysis

max time kernel
149s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
27-06-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe
Size

1.8MB
MD5

344fd6bf5a21dc5d57ca85ec059f075b
SHA1

2cc41beff75d838b5695e90de3b6a4a5cb596f46
SHA256

5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af
SHA512

47ce19f91b09bfa2077f37f186a215d1075305f88b4ff2585a987444ce72ff4e1a4dabd6651f0df33f4984e9dbc76999503742b3d556f1ba9ae065da977c81ae
SSDEEP

49152:272m8OrdqRPD3iDn1JqSc9Bc87z+xDGTm/HMkJll0:Ep83ir6Sc9Cx2mLr

Score

10^/10

amadey risepro 4dd39d e76b71 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1b4a7ce87f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0045efde07.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a69c7f19fc.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0045efde07.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a69c7f19fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a69c7f19fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1b4a7ce87f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0045efde07.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1b4a7ce87f.exe

Executes dropped EXE 5 IoCs

pid	Process
1760	explorti.exe
72	a69c7f19fc.exe
2912	axplong.exe
3316	1b4a7ce87f.exe
3472	0045efde07.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	0045efde07.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	a69c7f19fc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Wine	1b4a7ce87f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Run\1b4a7ce87f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000004001\\1b4a7ce87f.exe"	explorti.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3472-149-0x0000000000D80000-0x00000000012E0000-memory.dmp	autoit_exe
behavioral2/memory/3472-177-0x0000000000D80000-0x00000000012E0000-memory.dmp	autoit_exe
behavioral2/memory/3472-184-0x0000000000D80000-0x00000000012E0000-memory.dmp	autoit_exe
behavioral2/memory/3472-185-0x0000000000D80000-0x00000000012E0000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4736	5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe
1760	explorti.exe
72	a69c7f19fc.exe
2912	axplong.exe
3316	1b4a7ce87f.exe
3472	0045efde07.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe
File created	C:\Windows\Tasks\axplong.job	a69c7f19fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639595635810260"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4736	5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe
4736	5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe
1760	explorti.exe
1760	explorti.exe
72	a69c7f19fc.exe
72	a69c7f19fc.exe
2912	axplong.exe
2912	axplong.exe
3316	1b4a7ce87f.exe
3316	1b4a7ce87f.exe
3472	0045efde07.exe
3472	0045efde07.exe
1804	chrome.exe
1804	chrome.exe
4052	chrome.exe
4052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe
Token: SeShutdownPrivilege	1804	chrome.exe
Token: SeCreatePagefilePrivilege	1804	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
72	a69c7f19fc.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
3472	0045efde07.exe
3472	0045efde07.exe
1804	chrome.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
1804	chrome.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe
3472	0045efde07.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 1760	4736	5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe	81
PID 4736 wrote to memory of 1760	4736	5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe	81
PID 4736 wrote to memory of 1760	4736	5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe	81
PID 1760 wrote to memory of 4744	1760	explorti.exe	83
PID 1760 wrote to memory of 4744	1760	explorti.exe	83
PID 1760 wrote to memory of 4744	1760	explorti.exe	83
PID 1760 wrote to memory of 72	1760	explorti.exe	84
PID 1760 wrote to memory of 72	1760	explorti.exe	84
PID 1760 wrote to memory of 72	1760	explorti.exe	84
PID 72 wrote to memory of 2912	72	a69c7f19fc.exe	85
PID 72 wrote to memory of 2912	72	a69c7f19fc.exe	85
PID 72 wrote to memory of 2912	72	a69c7f19fc.exe	85
PID 1760 wrote to memory of 3316	1760	explorti.exe	86
PID 1760 wrote to memory of 3316	1760	explorti.exe	86
PID 1760 wrote to memory of 3316	1760	explorti.exe	86
PID 1760 wrote to memory of 3472	1760	explorti.exe	87
PID 1760 wrote to memory of 3472	1760	explorti.exe	87
PID 1760 wrote to memory of 3472	1760	explorti.exe	87
PID 3472 wrote to memory of 1804	3472	0045efde07.exe	88
PID 3472 wrote to memory of 1804	3472	0045efde07.exe	88
PID 1804 wrote to memory of 4716	1804	chrome.exe	91
PID 1804 wrote to memory of 4716	1804	chrome.exe	91
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 2080	1804	chrome.exe	92
PID 1804 wrote to memory of 4944	1804	chrome.exe	93
PID 1804 wrote to memory of 4944	1804	chrome.exe	93
PID 1804 wrote to memory of 1580	1804	chrome.exe	94
PID 1804 wrote to memory of 1580	1804	chrome.exe	94
PID 1804 wrote to memory of 1580	1804	chrome.exe	94
PID 1804 wrote to memory of 1580	1804	chrome.exe	94
PID 1804 wrote to memory of 1580	1804	chrome.exe	94
PID 1804 wrote to memory of 1580	1804	chrome.exe	94
PID 1804 wrote to memory of 1580	1804	chrome.exe	94
PID 1804 wrote to memory of 1580	1804	chrome.exe	94
PID 1804 wrote to memory of 1580	1804	chrome.exe	94

C:\Users\Admin\AppData\Local\Temp\5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe
"C:\Users\Admin\AppData\Local\Temp\5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
    "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
    3⤵
    PID:4744
- - C:\Users\Admin\1000003002\a69c7f19fc.exe
    "C:\Users\Admin\1000003002\a69c7f19fc.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:72
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:2912
- - C:\Users\Admin\AppData\Local\Temp\1000004001\1b4a7ce87f.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\1b4a7ce87f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3316
- - C:\Users\Admin\AppData\Local\Temp\1000005001\0045efde07.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\0045efde07.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffaa9bcab58,0x7ffaa9bcab68,0x7ffaa9bcab78
        5⤵
        
        PID:4716
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1924,i,17944321756299999496,12345682763702714276,131072 /prefetch:2
        5⤵
        
        PID:2080
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=1924,i,17944321756299999496,12345682763702714276,131072 /prefetch:8
        5⤵
        
        PID:4944
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1924,i,17944321756299999496,12345682763702714276,131072 /prefetch:8
        5⤵
        
        PID:1580
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1924,i,17944321756299999496,12345682763702714276,131072 /prefetch:1
        5⤵
        
        PID:4164
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1924,i,17944321756299999496,12345682763702714276,131072 /prefetch:1
        5⤵
        
        PID:2676
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4232 --field-trial-handle=1924,i,17944321756299999496,12345682763702714276,131072 /prefetch:1
        5⤵
        
        PID:4584
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1924,i,17944321756299999496,12345682763702714276,131072 /prefetch:8
        5⤵
        
        PID:4564
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1924,i,17944321756299999496,12345682763702714276,131072 /prefetch:8
        5⤵
        
        PID:3864
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1924,i,17944321756299999496,12345682763702714276,131072 /prefetch:8
        5⤵
        
        PID:1028
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1924,i,17944321756299999496,12345682763702714276,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4052

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000003002\a69c7f19fc.exe

Filesize
1.8MB

MD5
b60d82b8244e964110f66e7ad34dc37b

SHA1
413eb99c2ab5ea8f43d651b0100e76fc53aeba70

SHA256
a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c

SHA512
0641d19e3f3b71f0a8def8eeb19ac9364abc9f9f12762272a41331f3ee7e2a2ef5f96ca7ccbe879c21c3abefb8eafac2a46ac4901c0791be9b391dde754f5bb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7b74a1e9-907b-4633-bbf6-a9951b9d5c0e.tmp

Filesize
281KB

MD5
48c174b1d09e005811db326e34e1c616

SHA1
c6c6839301fad3e680d6408d1817b44133fd0313

SHA256
4eb441dff3d77879a62535df2aef56e2ef8aa001ef320c140956f7949bb49e49

SHA512
d800cd0f1c1e53f43183d155d0a5c8f943c7165e482ee3e381f3863e77e26a1d56b4ba7c35b4e244b8cc5605fd18e501140e52373c240ad6c32ae87e5ce46d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
346ff72a36958b0b4872c373e462b9c6

SHA1
558eb6ac561fa91688730fa81beabb40808e07b7

SHA256
41d3073c2cc53e9f01fd6599c853ba3a24dd3f537c9ad4893f2a8ed4cf2b8f60

SHA512
6decbb34c6444e621b02dd7d0119b5eb2f5b48c6ee21bad154aabcfcbc7bb13e1274314a6b31ed8661701e67e2360713cc7a0cacaf7a131837bda07f8cce747a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
20e3889a314a4fa2ea9af4fa9ed29ab1

SHA1
a0b2e3bc171b0f855e4694e1b4deecbad092da6b

SHA256
ee55c37ae35d5981da60824322414941ccf21384e4d420e9bed2eb45dadc9121

SHA512
07b7bc19ef383ad0777cde9745d243994557ce4e12f72dde60e7895e27599c24fbee690687b519f288920d766a0f3fe9d72f7e7748d15148896faa3974de3642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6444254f80f10cd1d8652cc17cc08d88

SHA1
81617dfe1ee7c0bc2481243db71c607b4f227813

SHA256
1f92993445145320ac4adf687dd9141331b3edcd323e4da2e16d507703e77fc4

SHA512
dc6ee2cd2a5acad2597a5216cd7b9797f026c3a7ae170b6f6083ceb3416f88ac26f7be3dd19807817b77464bb39a1ad4ea698cd82d306110153fb931319456ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
fbe01af0f905cdb36542d026600b594b

SHA1
d2d02ac442af4edd0355a25899ab2a58b72eede8

SHA256
51111cf9441da425d6b5f6629cfe2735ebc2f6f8fac7d1510f57301960687ccc

SHA512
80f51d0ab12c532e5538764a88fe46437fd52037dd03fc58c3ea6707f1360de3ace98b784120ec7db2201ec983db1815995cd63cf04b2ddd48afcee94ea9d9c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5586337ea1e5f92f4d2b44cc833ac6b0

SHA1
16146df5df7412fb01f3509ffe60e452d8f03c7c

SHA256
40779c1a0ac486c7965c0c4ab21ea4a157b9ea54e0ea5ef0d0ef7e4126ccd443

SHA512
1d7e78b9c481a93f9b0ff0dc3557eceeb8afb13c8831ed1b7e5a81214106f4f9e256bb0e985fbbde003e7845ff162afb50e3a287a0a12dd6dc8f316865d02732

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
53ad894a1f1b1d969d598b444bed204a

SHA1
e53e2d200227584120094055e52a07d1b1b0a4c0

SHA256
19ef1caac4633861238cedeb5ba0ad4ebd2a4315da7667e3206155994516e6b4

SHA512
76213e80395a406a935c4659618116fbfeabedf76416314f82d59aa9bbdbd4c0ee672ed5ebe22d64146c311c6feb6bb8583209532dd3a0ba20c1949bfd94d05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\1b4a7ce87f.exe

Filesize
2.3MB

MD5
0e193bc1b573cdb5ce555b8c3b85fd38

SHA1
b1d37e03f56da2371b77a658a10ba1bbde543aa7

SHA256
393fed8f20e48673bba10214ebf7be5937315accdca57dc2dba216664daf6716

SHA512
5e45074b1ce7dad64030d5eddecabc73c272940d093aefef186add0c55203208ed94651138a6b9b3c1ebfd3032e9b3737617be150cd781f0add4168f3dc01711

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\0045efde07.exe

Filesize
2.3MB

MD5
acc284cc9cafe2c1a690644335ea60f6

SHA1
1bf375ef7536e3d1be0cac27fd068c5374a79da8

SHA256
0ae60b27057de0faa3bc15e38e1b574d4df898d7c4169ab91a136bca4ab3eb7a

SHA512
266fb7276c036f518ed71ff890fe61c4cdaa000b48a4e20a0f9fbfd1e7b32bc809c9d3fac18294b823a562e3cbe28d58b9ef27db933011289a6be19d8fec8268

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Filesize
1.8MB

MD5
344fd6bf5a21dc5d57ca85ec059f075b

SHA1
2cc41beff75d838b5695e90de3b6a4a5cb596f46

SHA256
5614ad338553da8fae93c449b4c17a1938808d7447aa1cdbadad36c9ecf7f2af

SHA512
47ce19f91b09bfa2077f37f186a215d1075305f88b4ff2585a987444ce72ff4e1a4dabd6651f0df33f4984e9dbc76999503742b3d556f1ba9ae065da977c81ae

Download Submit
memory/72-39-0x0000000000500000-0x000000000099A000-memory.dmp

Filesize
4.6MB

Download
memory/72-53-0x0000000000500000-0x000000000099A000-memory.dmp

Filesize
4.6MB

Download
memory/1760-207-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-186-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-73-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-245-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-237-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-21-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-19-0x0000000000451000-0x000000000047F000-memory.dmp

Filesize
184KB

Download
memory/1760-234-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-141-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-231-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-148-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-146-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-229-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-20-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-18-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-224-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-203-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-200-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-175-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/1760-189-0x0000000000450000-0x0000000000904000-memory.dmp

Filesize
4.7MB

Download
memory/2912-227-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-204-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-183-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-51-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-244-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-236-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-140-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-188-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-233-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-230-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-174-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-225-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-201-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/2912-208-0x0000000000F80000-0x000000000141A000-memory.dmp

Filesize
4.6MB

Download
memory/3316-232-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-147-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-246-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-209-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-238-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-235-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-187-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-226-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-202-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-72-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-228-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-176-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-190-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3316-205-0x00000000008D0000-0x0000000000EC1000-memory.dmp

Filesize
5.9MB

Download
memory/3472-149-0x0000000000D80000-0x00000000012E0000-memory.dmp

Filesize
5.4MB

Download
memory/3472-177-0x0000000000D80000-0x00000000012E0000-memory.dmp

Filesize
5.4MB

Download
memory/3472-91-0x0000000000D80000-0x00000000012E0000-memory.dmp

Filesize
5.4MB

Download
memory/3472-185-0x0000000000D80000-0x00000000012E0000-memory.dmp

Filesize
5.4MB

Download
memory/3472-184-0x0000000000D80000-0x00000000012E0000-memory.dmp

Filesize
5.4MB

Download
memory/4736-3-0x0000000000BA0000-0x0000000001054000-memory.dmp

Filesize
4.7MB

Download
memory/4736-17-0x0000000000BA0000-0x0000000001054000-memory.dmp

Filesize
4.7MB

Download
memory/4736-2-0x0000000000BA1000-0x0000000000BCF000-memory.dmp

Filesize
184KB

Download
memory/4736-0-0x0000000000BA0000-0x0000000001054000-memory.dmp

Filesize
4.7MB

Download
memory/4736-5-0x0000000000BA0000-0x0000000001054000-memory.dmp

Filesize
4.7MB

Download
memory/4736-1-0x0000000077606000-0x0000000077608000-memory.dmp

Filesize
8KB

Download