Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-06-2024 16:29
Static task
static1
Behavioral task
behavioral1
Sample
c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe
Resource
win10v2004-20240508-en
General
-
Target
c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe
-
Size
1.9MB
-
MD5
62071def9c66134b49b6f603d74bed23
-
SHA1
8d75934ba64ae1885a249f38054e6a1073dc2a59
-
SHA256
c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1
-
SHA512
6d607f896d8d5efb7e33c9958b545b052d830111383c92e1cbdbcd673aa62863fee702f1b648e178841cb0bc2ce92dd689e719d9899cfbe4014f3e4d5b3ed52c
-
SSDEEP
49152:X0BAH1eZ4gk+pfKyCYYm1iycYakjytwP8KByvQhC6qLwia+f2:X0DWmpfdYmg8akjgcy4hORf
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ faf34d8e54.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a86b8c8598.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion faf34d8e54.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a86b8c8598.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a86b8c8598.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion faf34d8e54.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe -
Executes dropped EXE 5 IoCs
pid Process 1632 explortu.exe 3584 a86b8c8598.exe 3936 faf34d8e54.exe 2292 explortu.exe 1092 explortu.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe Key opened \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine a86b8c8598.exe Key opened \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine faf34d8e54.exe Key opened \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine explortu.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\a86b8c8598.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\a86b8c8598.exe" explortu.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3936-114-0x0000000000F00000-0x0000000001452000-memory.dmp autoit_exe behavioral2/memory/3936-144-0x0000000000F00000-0x0000000001452000-memory.dmp autoit_exe behavioral2/memory/3936-152-0x0000000000F00000-0x0000000001452000-memory.dmp autoit_exe behavioral2/memory/3936-153-0x0000000000F00000-0x0000000001452000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2728 c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe 1632 explortu.exe 3584 a86b8c8598.exe 3936 faf34d8e54.exe 2292 explortu.exe 1092 explortu.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explortu.job c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635473764056832" chrome.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2728 c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe 2728 c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe 1632 explortu.exe 1632 explortu.exe 3584 a86b8c8598.exe 3584 a86b8c8598.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 1460 chrome.exe 1460 chrome.exe 2292 explortu.exe 2292 explortu.exe 1092 explortu.exe 1092 explortu.exe 3516 chrome.exe 3516 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe Token: SeShutdownPrivilege 1460 chrome.exe Token: SeCreatePagefilePrivilege 1460 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 3936 faf34d8e54.exe 3936 faf34d8e54.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 3936 faf34d8e54.exe 1460 chrome.exe 3936 faf34d8e54.exe 1460 chrome.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 3936 faf34d8e54.exe 3936 faf34d8e54.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 1460 chrome.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe 3936 faf34d8e54.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2728 wrote to memory of 1632 2728 c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe 81 PID 2728 wrote to memory of 1632 2728 c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe 81 PID 2728 wrote to memory of 1632 2728 c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe 81 PID 1632 wrote to memory of 764 1632 explortu.exe 82 PID 1632 wrote to memory of 764 1632 explortu.exe 82 PID 1632 wrote to memory of 764 1632 explortu.exe 82 PID 1632 wrote to memory of 3584 1632 explortu.exe 83 PID 1632 wrote to memory of 3584 1632 explortu.exe 83 PID 1632 wrote to memory of 3584 1632 explortu.exe 83 PID 1632 wrote to memory of 3936 1632 explortu.exe 84 PID 1632 wrote to memory of 3936 1632 explortu.exe 84 PID 1632 wrote to memory of 3936 1632 explortu.exe 84 PID 3936 wrote to memory of 1460 3936 faf34d8e54.exe 85 PID 3936 wrote to memory of 1460 3936 faf34d8e54.exe 85 PID 1460 wrote to memory of 1984 1460 chrome.exe 88 PID 1460 wrote to memory of 1984 1460 chrome.exe 88 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 3924 1460 chrome.exe 89 PID 1460 wrote to memory of 1892 1460 chrome.exe 90 PID 1460 wrote to memory of 1892 1460 chrome.exe 90 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91 PID 1460 wrote to memory of 2092 1460 chrome.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe"C:\Users\Admin\AppData\Local\Temp\c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵PID:764
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\a86b8c8598.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\a86b8c8598.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3584
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\faf34d8e54.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\faf34d8e54.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff71c0ab58,0x7fff71c0ab68,0x7fff71c0ab785⤵PID:1984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:25⤵PID:3924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:85⤵PID:1892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:85⤵PID:2092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:15⤵PID:4032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:15⤵PID:3780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3844 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:15⤵PID:3984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4352 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:85⤵PID:4568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:85⤵PID:3928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:85⤵PID:1908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2772 --field-trial-handle=1848,i,4889424578096451019,11619796539220102913,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3516
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD532945fe75c7ce0b49f92d8316c5a86ff
SHA117bbdb81cf514b2c9cd8f3afc58208fbef7e31f8
SHA25638462fd22a26da500b556a5e52f5c63a2722cd69cc2ef9ac67c7f03b70bb19ed
SHA5122a0a07ad5a76007754d5115b4211936ed719ebeffa9f5c8fc4f4cb2df5e3d32616b85d6e658304a562347d29e5764e54de39ba5e57969fdda6f5049e1282dfc3
-
Filesize
3KB
MD567eb0077ef2cc78c8c511acc4559fb2b
SHA1a7efa344016fd2305c2e6ba43f8b3fa59a1f3355
SHA256c71b1a43440f534a3bdcf8a961ba776c5fb352f3df750aedd467586de02a6220
SHA512fd8d8df701e77e7549d65a894080f8fb72e09cdb1cedc6b243a583c1978292b759534212b2c10ad45f3e3387fdb73fddf9bc0e5ff398210460bde2e706eb69f1
-
Filesize
2KB
MD518a9178780a4fc229795d0d95d29f39e
SHA16a60827d0c0e46477e547dc1c82611c09edc72f8
SHA256e10adb52aab7dc96dc2efae9200c6ff5add0e5a3fb31f2cc32c2b83ce3dfcc7b
SHA5125656607709fb82328335f18a11cb9a0680db262109f72899d04f024781cbc13af317fa6a53acf3cc9883e59e187460cea3e4de4972e89ea3ec18797d2c6851eb
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5359c63416575884c2bf90472c00e0356
SHA13a0ad2bab03d84f57b0d57a422b193671c22f850
SHA256149bd9f4a6671ca9d43414f0edba98e775c8920da7b62fe75e78b0ace913c928
SHA5121f555d86883af061ccb5d5861f0d76afc8bdc0e7a99f3105b590497bb83d26a55102be44ce506edc914f6dfc7d6ca04b7489ec274e4b8bf4ff8f92830082ca7c
-
Filesize
7KB
MD52ac8184f7c1f3490dba7c52fbfaa6557
SHA13afc539c012906e7e3da56cfe7be29cf2e773ed3
SHA25645b6e5d828653f2940d06af2d1a8de4081e2eeafe154723b369ca98944eb887c
SHA5120270f6c0fb31c025e38bbf9454e78c1425e5490f4973d1e9b90d72b50f873cffcc20a089e1472f49d225a0aa0c92d2020c897cebcec99331872d8d9f3fa88836
-
Filesize
16KB
MD53a010f8d3adc472cc8de7c68a96804d0
SHA1c7985cca903645398d671edd2d9a3c4ea05db205
SHA2567a5a567e61239abe2880984ce07f1046368c6c0098be1b3de64a63484b9f8f5b
SHA51248181c19bde8b352956a2f1065135beb1f3a34b223677ef6e88dad1fdaa3ecacea16e94eab1aad84633346018edc9c9c498044e0879c517156c516d3004a9bc3
-
Filesize
279KB
MD5988f610799c226d549a1f41aea15d7ac
SHA1cec0fb1a46af7dff30bfe7c01bb89eb724311b9a
SHA25651ac5067157dbc436a490e1166605b528e5122b6434c1ab7afb04324b0302c60
SHA512091033bede2e3be5d2d131adf842190c1c4c2dc3f429a1f76c67c2998870b102ed47cb6faaf0a2460e6eba2ba6245f1066a6c602ff92f95cb18d481e82cf41e1
-
Filesize
2.3MB
MD5904f75daa93fd4309898863f56a4e984
SHA1d28454c3d875ad4b353a0f9644969ac21bad99bf
SHA25617ea5facb9c79357269348b19b95e83bab36c367b26dc1ad0f7639ee547002dd
SHA5129327a1208e4af49914ccfb0dfa93bef03cadbb4fe3e3c5cd9978278ce4fb99025571b691d7c89f56c873c13f7d3bbda1970ffb3da1714d53d2f825630c7d29c2
-
Filesize
2.3MB
MD5421b69e42849130ab80d06431deeb7bb
SHA13a8010d6697a56103d3d44670012bdca3e5664ac
SHA256e368b3c7ab7211bdfa5f83c652fc6ca3b4dd7cf9292e8a3b7001e33f9835381d
SHA512fd185e1a78518512cbdb7f8c16fdb66d4a4a69fae736b2645448ad3b28cd3665519c438354b9a003d2d12c9ce774f2a49c6c578a4a9abfabe4965e2d00cb8799
-
Filesize
1.9MB
MD562071def9c66134b49b6f603d74bed23
SHA18d75934ba64ae1885a249f38054e6a1073dc2a59
SHA256c85a331c6c2c8ce617b2c80c45f3fa9c22dd2bbe461a2f5b7ab042ec394f4bd1
SHA5126d607f896d8d5efb7e33c9958b545b052d830111383c92e1cbdbcd673aa62863fee702f1b648e178841cb0bc2ce92dd689e719d9899cfbe4014f3e4d5b3ed52c