Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07-05-2024 17:38
General
-
Target
7d1ba7070a1261c5bd8eb7f36b94459d9f0351ee0b8436e6c1b7f9680251d7e4.exe
-
Size
1.8MB
-
MD5
7f403a8f08d295f3bcb884904967ca09
-
SHA1
a08ba114fc0b0b8f766a979f3a61e033e62a3b46
-
SHA256
7d1ba7070a1261c5bd8eb7f36b94459d9f0351ee0b8436e6c1b7f9680251d7e4
-
SHA512
8ee20adb8edbc14c053b88aed767e6b6fb46b5907c211257c6e9ea3f2249108f70245d4b01d95610bb9015a58775e2f2785bb0648add522fd8eb1bb6c40f14d3
-
SSDEEP
49152:TxJH07bcuwSYqKBU1+GrsqWp/kz9pdAaDP+:dPuwSYqKBU16qSkz9pdAM2
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
risepro
147.45.47.126:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 21 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 10 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 52 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 61 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d1ba7070a1261c5bd8eb7f36b94459d9f0351ee0b8436e6c1b7f9680251d7e4.exe"C:\Users\Admin\AppData\Local\Temp\7d1ba7070a1261c5bd8eb7f36b94459d9f0351ee0b8436e6c1b7f9680251d7e4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000104001\main0506.exe"C:\Users\Admin\AppData\Local\Temp\1000104001\main0506.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"6⤵
-
C:\Windows\system32\mode.commode 65,107⤵
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p1801309317623241012989714669 -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\attrib.exeattrib +H "componentCommon.exe"7⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\main\componentCommon.exe"componentCommon.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\chrome.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\TextInputHost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\System.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\chrome.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EARc2MIvFs.bat"8⤵
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe"C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main6⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\system32\netsh.exenetsh wlan show profiles7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\720366693769_Desktop.zip' -CompressionLevel Optimal7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\e2c568fe8a.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\e2c568fe8a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\1000021002\62a25912aa.exe"C:\Users\Admin\1000021002\62a25912aa.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcc329cc40,0x7ffcc329cc4c,0x7ffcc329cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,11701806879457536086,13927447569187056965,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2000 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,11701806879457536086,13927447569187056965,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2476 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1340,i,11701806879457536086,13927447569187056965,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2580 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,11701806879457536086,13927447569187056965,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2936 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,11701806879457536086,13927447569187056965,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3076 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,11701806879457536086,13927447569187056965,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4460 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,11701806879457536086,13927447569187056965,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4832 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=832,i,11701806879457536086,13927447569187056965,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=208 /prefetch:85⤵
- Drops file in System32 directory
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files\Common Files\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD558bd002c3e495bb038978697056b39d3
SHA11f45e1081faa1eedba47420aa9661efbd17481d6
SHA2564993cf62256f10138a273f812b45beded9b7557f7418b46fd94f4e8a60036066
SHA51211036644315c6bee2f6da4a263b0d2ec27f614620a6b2c56de954c89ffca7f52df9d7cb88d3e5115509518bf52a9b448788d0be638bbfe2dfd1bb1ebb6f5114e
-
Filesize
649B
MD5f190e1885d5a3f0b6cc5e157c6c632c5
SHA11ceb6cb806853e0e8dcb641c9c2a0f3f97d178f5
SHA25610f2277d2add60efb1299bcb7b6cdc4513dae21e6f3144fc764b20bd47b8a7d0
SHA51212ecee20e5cc117afa46bd2e3441a63ce3e247a05ccc456cfab9e8fb1ce5788aa888fcf3bb11c671503a8c674cc330ab74f19e26e12519bb50be8103edc041ff
-
Filesize
264B
MD5d7c106149a3b9cc111c8cf70f34d87ac
SHA17f62023a660334ac6f3d5e5171e5d39aaa5cb006
SHA256fd025ea8712f977255d839fbb9be38508b5491f47c1d30c3365b6d51fd9190aa
SHA512f5ec73801d0a30eb90c35fd97c61ded9324d1abc4c007582b85155b5b92698a3839949a533ec548539342cbba75e16710b3ace443f6092b724fa9cd2516f906a
-
Filesize
3KB
MD59de7e4a995ec787445ba0939ee996273
SHA1aa85c06c900ec566c989f5507ee77ec987261d0e
SHA256b2f4baa8e4f7992c44d9dc7d36fa6f49d7ddbcbb9243f223fdff93142320b15a
SHA5120413503bd9ad6f58146abd663e81dd731ff813ddec0e33b7e29e8972db9d3ee5613c7f3ba70b16c95a9a1a9632ae42a95d6b7e108357dafe71ab51c76438c629
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD570d3c3b640be486fb819343f24e8527a
SHA12e2d6ab4e4286963940e66337b9a68cb3648a21e
SHA25632154882d5551add2071e768299a487b5d9d46f30d59b0185d355fe155a0a6e2
SHA51281bf76b826fc48f2822058ca5d76a00847921dddafadc6e106548ca76cebb90d49d2056717bd1cd08980ce3712dd565f68a5d513bc950eef15c5165aa48bd3c4
-
Filesize
9KB
MD5cdb0bbde17a65af9b0b847b5d90a7771
SHA115ed3dcd520d7600602497a98530be7169adc847
SHA256941004d2e65f3040da02d858cb651bb0facd4ed46bd036e8dd187eb081fd12c0
SHA51243993f345035d1696aeeb244a31912a97bcc7927c2b105feaf62248411c111ed6d9d5e26f39dbb4cc1cd10cbcfe3811aa93afd5041d9d995e389e5d5151665b7
-
Filesize
9KB
MD5b90361d57dd030a1bd90bedfb91e966b
SHA12e50a953af55c1a2f6bbb6b4461b8f3d6b84436e
SHA256727d7f7bc5f390ed6210f4ea8bda68b651d3d69efdd78fe8e35af7a13250996d
SHA5128111579980402fb737a0a109206db380c65fdb922c6ba2c11b23bcaa1f948bc0f9272b6f42d49c21c75cf3ae2e95b14b609a32755e75eab9a2605df227fe57cd
-
Filesize
9KB
MD5154d6d9583b6e4f73f4e5e9de1d5bb89
SHA15514a3151e6250e84037d3196ef7e74e5b911303
SHA2563734417b0e63477cb89860233bab65203fd66552781c30e1042a6d527a3d47c8
SHA512b07786b280fd55c5662d7c1f3f2b03d690556a6f3c914b5d04ac57aaf365499c72a9c9e79e9e0cdcd85ae8e1c11e55be3c2c385ea683c33b4e5535fcd4af2380
-
Filesize
9KB
MD5d76ddf9749c0acfe37908c80b096fef4
SHA12d6643f59a173ca98f65df54612e2d1d48768d64
SHA25661e502e6b86d2a05fde4753cc175c7c19da5cfb18cd24ae5c1ae48f4dbed0500
SHA512a4427547fd3b0d4e8bf3df6fb614b3d3341097468246e60f18e705e48612dd49fab0237c3ce96cab1c3a05e8a99a2ab79d18715476f23d2997131878e4555f0b
-
Filesize
9KB
MD572b1e5e28073044cd1aacdc9893cd67c
SHA124d489aa98dddd87c2cefae1f985253828f3926a
SHA256b64aa5c0108cc0d459687f0b72482c03a09a813233f02c17ce112eb7ebcbc5b3
SHA512493478804dfada356df4b4ae0c41d01ee38414cfbbe7a7d9cac901d1abb3ad47178754e2cf62423b34ff2b4c1465aaef7fc85e47bcb1ee8f5ae1328b321da03b
-
Filesize
9KB
MD529f0f7053e1e723355f800ef40da53fe
SHA1778ff5699b2ad2b4be7d3046b63128ac377420ff
SHA2565ab814246bbad1eb57dc7b0ca72655dea702666fe8ae18cf311645f7a62553a4
SHA5126ef7fb998eeb2113228ca20d6452fd748cc43be8c2b554ba3d4c7871f7e9b672cc4cc420e8d3856ce0c0ad3dbb05091b8ede5cc6280bcf10ef677b64d27b2c1f
-
Filesize
15KB
MD5c146494da0beef9eec8315838188a54e
SHA141c89982149d04c520a91929f3aa92655b43d35b
SHA256e63379e7221038ae4076c452983ae9331b9860edfeb5d9c1543cc56f4e8c4e3b
SHA512000f01518ed711070e8c771268adc5e38d0eb3aebf4c499ee9031993c250fee1f13f7a9ddef5dc4bb19183b36070280d6bbce3f7ff9b2bb0a8cc3faef9a8be57
-
Filesize
152KB
MD5c9332dd45c75daf15df7ef4a07ceffd1
SHA1482d9c0947c19b663481e4aa0026f5292fe5a720
SHA256325f337b21ee2a6c1f6c8ac147a13e9942b86f909f9631d42987c4ea033ba23d
SHA5125a568e26af2a5576da981737b7008916795612e28b537efe46ba3eae203eda10b3125d7cc931f03b39dd638eb84d9228e692d3f2dd84248dec1cab63d6a14adc
-
Filesize
152KB
MD5463f702e08b546bdb7cff9bcbe26cec7
SHA18187a544ac3193779014d8e8b7daa98734f768db
SHA2567aca8f8c9bd5d530a168a2a6c1cf79391ac9827b3ea42deb82e9d8e6b1e66674
SHA512e1b155dd1c24f09385cda5d79aea699b7a6b4b56020833fa610b2c1c774920505c63505c8dbb28f047cbf26cb76b8eb82bacda2b72db9ca80cda5f7462da0f8e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD52979eabc783eaca50de7be23dd4eafcf
SHA1d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA51292bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba
-
Filesize
1.8MB
MD54fa8ccee555fe9ed3ba808f024df39e6
SHA1a7b878528a11ca141a1f04c6c75db2565753029f
SHA2568a10020b0e5fabb1b0d9a03baca74e9560414c9707ed511af0cdd92a3afbff0c
SHA51246660dd2a939e1db1549decb1ddc8c0c1cafbb490588c17f4348e6d9d2a67c984656a59cb444cd2af6460522166fdec9134bfa919d1b2e44bbd847d22ed546fd
-
Filesize
2.1MB
MD5fbf0f5890064ad2e655ad586b262f614
SHA18aaa95022bfdb688e1ebd3d1b203f88e1425f6bf
SHA2561d327d6866f7e72abb9ee987949b44a234af03214e098c845ce97704b6f91453
SHA51290070d5f5057ea361e9a520a8b9c2175324bd627198f344528cdbfb7d57c9279d711c7fe94965981853a5c7c55db73d93753f80065b6a367822cb9241cf0185c
-
Filesize
2.8MB
MD5b292ddee6971461b21d11d40fb405ba3
SHA1127596064d411c336ca59fa5f43ad6b0adbb0802
SHA256303e6bd3c63cdde12f79508ff515e8091ae047ed236e700d7987ea8b8c088a14
SHA512f7d7add3804064d641f613271cc8fd6db34e2a223d293c1527be6bc17ec7dfc7df0b9f76f56a3abf74ec7b432392f76064c51f0107b3011fce6e25bb8dd7e9a4
-
Filesize
1.8MB
MD57f403a8f08d295f3bcb884904967ca09
SHA1a08ba114fc0b0b8f766a979f3a61e033e62a3b46
SHA2567d1ba7070a1261c5bd8eb7f36b94459d9f0351ee0b8436e6c1b7f9680251d7e4
SHA5128ee20adb8edbc14c053b88aed767e6b6fb46b5907c211257c6e9ea3f2249108f70245d4b01d95610bb9015a58775e2f2785bb0648add522fd8eb1bb6c40f14d3
-
Filesize
240B
MD50df2b88f9040ddbcf2277a0c7a5e79dd
SHA187bdc14ebc7102c2a4235d3e3cf393ead98441c5
SHA2563e4ba6d757ad6e0d05c1acc92b47931c85f746ecd2f7ba6c020229cb5703b4bb
SHA5124dc055abd2bd0b0e84e132f869c554ceca634cc19f5ed9c9f0d867dc5558ff5814976db1f6eaf6cab4e019cb2f17255d6e20c49aad4906a7e2d925103fd46551
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD5264db4d2f6c16a463f5f531f0c45c86c
SHA1e08a0e2635ecdd5b5732fb372578455a2d515942
SHA25637e517021f0756e22d49db203408bf7d33da18be85e97a2ef67b93aba00c8795
SHA512144e27f15a5dc4985f0b66d56d8c862c4321aaa14bc15cdb62d68e018a9a5b608e7e910f36aea624ca23bea95b7cad1f29a9558bb0711bbcdb1fc25fcc898460
-
Filesize
776KB
MD5abb42f86c6d46390de53104becf04afc
SHA19927b7da6c0dfe37e31a10c35cf8b5a5a1a0ea6d
SHA25663aa3f63d025e756f7132c8094e094c3d93182deb655ebc55d3d23b1378594c5
SHA5127ee7ebc107162a2d8b835c73d489fc0f849eab2e1f0fef19290ee150c788df228e0df1abadb132947668d12595e625af53b76fd21a9d0a26c8c3586e940acad0
-
Filesize
311KB
MD52a2b88adb0ea489268a25895a497fe2a
SHA1025fd0d17cb8fa4f15ff86d37ab4d189d984cfc4
SHA256f9859bdb59165b8fa775b6b26f963005d6c383d71c71a4749405c3681fee0ca9
SHA512332a7750627d531ada3441b68caf286250feada59a4e221af2570f9fb7cc4532bf99f00396298836b95fef8b491dae3f9c9ead36a5fb41eec1c853d0f682124b
-
Filesize
311KB
MD5ef474088d55a22bce4a4f16637824953
SHA145bba7772accad376c33c6dedacad05d8a100d2c
SHA25688f1b33d4aaf105b13878675e5afce9bfdcb8a25e453ecfd46cd777422b1f164
SHA512c6c6024e1503378840230e98cc97108684470f3f6c40270441680a1711a89e5a7effec5108243ae09edbdc567676e601fa98c0d00e3fc080ecdde0a58de02901
-
Filesize
311KB
MD5f6e17cb3b6d875991c7871d5dd70c396
SHA1aab558eeda7b822f2ee42cb7199f673aaea8d4e1
SHA2568849b9a23689284975a462f953a4e57f9d5977dc26f6a969e69bdea1cca2c350
SHA512e590c4d27dbe5c99c4640298a3fe5ab5e381ec185363600a90a8727819c37822daab3ce23d26d1b604cf9e26ebfb79d2f3144e71d46b301e743d83a47eab7929
-
Filesize
311KB
MD5b2bdf1ba7388952b43e980d8fd1db5e2
SHA11577b1c07c4ea8c5de1f3313c90933711bb5d44f
SHA2567855fc3e054c2958028fd6ab688836c420ec0f5b0e9c7bd57a22451f0b0833e7
SHA512c64afd6e0bfdcb4dc038ab02a55ea842453d257f27c2f40ade99996886d28fce1637a4e1f953bc042198a0a43cb026bcd092749bbb2d096f591841c9127b208f
-
Filesize
311KB
MD533bf14cdd497887e701f5e168980af3b
SHA1a874a5e19e2b6482f49ce221447a51e44c855790
SHA2566306c363cc2df58202443b60915b66ec1f4d3fc6add73e346aca7cd401c0bbf0
SHA5120e253ad93554f8005c827b662f56158d2cb94716678ceecc33448cba3d2e8893f804408977da3d5d70b2af509724758544758531867843dcd27ae84dc2796d2f
-
Filesize
1.9MB
MD56642c84b7e8455f16b657e5631b954d5
SHA16a2b9db9a1765607327129c0adad7bdcf20f12e3
SHA256c87f06e36953ef8bc4084f02609d9cc7bba7a12f85d627425534612aa8a4dd3f
SHA512b235416e353460fde11cd8f9077fb3dfeb34c8901b565c9b90ad80bc20d46199bc5b1f763f425bac6f0805784bf01fe691f85b858d2ff5a87d3effab88bc2805
-
Filesize
1.9MB
MD5c29c95654b3e7bc06686ed1971ad0481
SHA1a7b98b0a3c217ca24c438d3decd5c5c6d71531d7
SHA2569487293cba78c8673e03c2a8723947339305b4b32b22b913eaf646f9ab0fc9a4
SHA512474f2f5ed09929572c9e7c9d45e4291d516a059ca1f18f96a44dcd44494c23233f013ebf16cd3dc94dc5dd0469467fa16867e7aa58b61f3b0cb2b855fe31ec8c
-
Filesize
504B
MD51d93f931ba784c0442b404365c36cde3
SHA14ecef82a21ecb3062b8b663327ade0ee6c7c4d53
SHA256eb884ac8c6f59d9b07fe70ee2fe8b8979faec78304bb5ba091b8ff3de3ff02ac
SHA512270bf092a761e804fcd71f5bdf46f1ea5c66fd7adc3267eb74c9d1e96b4a1fbe5722829155f5b1f925576e3ea920aaf4059b998f01be4ce375e20725e62221b7
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
112KB
-
Filesize
48KB
-
Filesize
800KB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.7MB
-
Filesize
5.4MB
-
Filesize
4.7MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
136KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
40KB
-
Filesize
72KB