Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 01:51
Static task
static1
Behavioral task
behavioral1
Sample
03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe
Resource
win10v2004-20240611-en
General
-
Target
03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe
-
Size
1.8MB
-
MD5
6c4ea5959222315f89ec2a4c31a79b42
-
SHA1
b0e03f4bb8f6cd1e0d35abe12e6a38f500b61c08
-
SHA256
03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39
-
SHA512
32697372fdde9adb6994838ff81d00b8e02d0e26ffb2feb8eaf366180bad7b7e0a22c8e92284680733ef1015b437144694793cdfc7791913b1a6f9771fe67695
-
SSDEEP
24576:og3sr8oHTTR24gnp/KrmQ5Ne6QtHO77+ZNLnWcMXHasyU6kMchs4CerhcnexdC:vcr8cTFfgZGi6DEjxU6k5Opea8
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exeexplorti.exeexplorti.exeAKJKFBAFID.exeEBGCBAFCGD.exeexplorti.exeexplorti.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AKJKFBAFID.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EBGCBAFCGD.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeEBGCBAFCGD.exeexplorti.exeAKJKFBAFID.exe03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exeexplorti.exeexplorti.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EBGCBAFCGD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AKJKFBAFID.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EBGCBAFCGD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AKJKFBAFID.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exeexplorti.exef42e211e83.exe1de9636ff3.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation f42e211e83.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 1de9636ff3.exe -
Executes dropped EXE 8 IoCs
Processes:
explorti.exe1de9636ff3.exef42e211e83.exeexplorti.exeAKJKFBAFID.exeEBGCBAFCGD.exeexplorti.exeexplorti.exepid Process 4532 explorti.exe 764 1de9636ff3.exe 1912 f42e211e83.exe 336 explorti.exe 5456 AKJKFBAFID.exe 5224 EBGCBAFCGD.exe 6124 explorti.exe 6104 explorti.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeAKJKFBAFID.exeEBGCBAFCGD.exeexplorti.exeexplorti.exe03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine AKJKFBAFID.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine EBGCBAFCGD.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe -
Loads dropped DLL 2 IoCs
Processes:
1de9636ff3.exepid Process 764 1de9636ff3.exe 764 1de9636ff3.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0007000000023633-43.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exeexplorti.exe1de9636ff3.exeexplorti.exeAKJKFBAFID.exeEBGCBAFCGD.exeexplorti.exeexplorti.exepid Process 3520 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe 4532 explorti.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 336 explorti.exe 764 1de9636ff3.exe 5456 AKJKFBAFID.exe 5224 EBGCBAFCGD.exe 6124 explorti.exe 6104 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exedescription ioc Process File created C:\Windows\Tasks\explorti.job 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1de9636ff3.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1de9636ff3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1de9636ff3.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645315251113603" chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exeexplorti.exe1de9636ff3.exeexplorti.exechrome.exepid Process 3520 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe 3520 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe 4532 explorti.exe 4532 explorti.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 336 explorti.exe 336 explorti.exe 1204 chrome.exe 1204 chrome.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe 764 1de9636ff3.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe Token: SeShutdownPrivilege 1204 chrome.exe Token: SeCreatePagefilePrivilege 1204 chrome.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
f42e211e83.exechrome.exepid Process 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1912 f42e211e83.exe 1204 chrome.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe -
Suspicious use of SendNotifyMessage 59 IoCs
Processes:
f42e211e83.exechrome.exepid Process 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1204 chrome.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe 1912 f42e211e83.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1de9636ff3.exepid Process 764 1de9636ff3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exeexplorti.exef42e211e83.exechrome.exedescription pid Process procid_target PID 3520 wrote to memory of 4532 3520 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe 93 PID 3520 wrote to memory of 4532 3520 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe 93 PID 3520 wrote to memory of 4532 3520 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe 93 PID 4532 wrote to memory of 764 4532 explorti.exe 99 PID 4532 wrote to memory of 764 4532 explorti.exe 99 PID 4532 wrote to memory of 764 4532 explorti.exe 99 PID 4532 wrote to memory of 1912 4532 explorti.exe 101 PID 4532 wrote to memory of 1912 4532 explorti.exe 101 PID 4532 wrote to memory of 1912 4532 explorti.exe 101 PID 1912 wrote to memory of 1204 1912 f42e211e83.exe 102 PID 1912 wrote to memory of 1204 1912 f42e211e83.exe 102 PID 1204 wrote to memory of 4288 1204 chrome.exe 104 PID 1204 wrote to memory of 4288 1204 chrome.exe 104 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 3932 1204 chrome.exe 106 PID 1204 wrote to memory of 2312 1204 chrome.exe 107 PID 1204 wrote to memory of 2312 1204 chrome.exe 107 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108 PID 1204 wrote to memory of 848 1204 chrome.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe"C:\Users\Admin\AppData\Local\Temp\03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\1000006001\1de9636ff3.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\1de9636ff3.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKJKFBAFID.exe"4⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\AKJKFBAFID.exe"C:\Users\Admin\AppData\Local\Temp\AKJKFBAFID.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5456
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBGCBAFCGD.exe"4⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\EBGCBAFCGD.exe"C:\Users\Admin\AppData\Local\Temp\EBGCBAFCGD.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5224
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000007001\f42e211e83.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\f42e211e83.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8e2c7ab58,0x7ff8e2c7ab68,0x7ff8e2c7ab785⤵PID:4288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1824,i,17550510043414179738,12379195300357708736,131072 /prefetch:25⤵PID:3932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1824,i,17550510043414179738,12379195300357708736,131072 /prefetch:85⤵PID:2312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1824,i,17550510043414179738,12379195300357708736,131072 /prefetch:85⤵PID:848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1824,i,17550510043414179738,12379195300357708736,131072 /prefetch:15⤵PID:1984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1824,i,17550510043414179738,12379195300357708736,131072 /prefetch:15⤵PID:4336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1824,i,17550510043414179738,12379195300357708736,131072 /prefetch:15⤵PID:5432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4224 --field-trial-handle=1824,i,17550510043414179738,12379195300357708736,131072 /prefetch:85⤵PID:5984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4176 --field-trial-handle=1824,i,17550510043414179738,12379195300357708736,131072 /prefetch:85⤵PID:6032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1824,i,17550510043414179738,12379195300357708736,131072 /prefetch:85⤵PID:6088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=872 --field-trial-handle=1824,i,17550510043414179738,12379195300357708736,131072 /prefetch:25⤵PID:5900
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4140,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:81⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:336
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3028,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4476 /prefetch:31⤵PID:5760
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6124
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD563c1f6816b46dd3e4b05b2a93d1c8c9e
SHA19845b181ced40939b499153357beaac8afff0066
SHA2568f0a63cb810f90770eb3b0e6551e8cfdec2590eab2f2a5dcd7086edf10b5fe23
SHA512d92b251ac7320346ceaec78014c60fd746d6a06d749ac48b23ee6710772df0c24c195f11805074ef84f675aa1ece93411835ddd3f4fab33b75447da5001bdf41
-
Filesize
2KB
MD59fdf84ec68bb0280ed0a5304e49323e6
SHA15c3108f667719a8b922e36edcbc2fdae62d8326b
SHA256a543e39f4b5cda3c617ff8b048abd7edcc2c5a9f8a92e2400e495c9ae441b707
SHA5124499b419420a4b908ff6f84a714503c37c71920eae6142fe8e3997592255ea3edda390b796e10ee719a7d456222379f5d24d7bcf96f1478865fd520dfaa4972d
-
Filesize
3KB
MD55b1298037f1e54deb8b87602043e5d67
SHA1fcebf0fdd330e54b28829c699ae9f0bf404fb658
SHA2565cb21a647b3c80c6bf549df0f39536b9de29227af83385c8f51b9ea82e1e882a
SHA512d4a7f7adf94437a34f60b00cd394748d5adab03794ce7e45665e5b23c9a45c49b88894ba00d17b0ca851dc027aa8028ad7e466d9298202a8c0578c02c31b94f4
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5fd7ba074318f2695b3faef02d00c6a4a
SHA119f2b47d442f97c17f09deec4e571038e58dc5c1
SHA2564244283e375e205ade7a44d85fad31a34b1f4888224db94f1be113eab4ca5cfb
SHA5122ca29a7944014fcebc0f15ce44b593ca819ca3efc1250eda8f3ff5bbdb4db7a4d457280d9e2316cca3269864d2d430bcb91b308549f38f92a2aaeae7c06408d2
-
Filesize
7KB
MD5b2ba6d6cd4d251d40c2c9cd4ed78d715
SHA1f84e002a17f26af50d6fdc11e06e3b4bf255e062
SHA25692f76315619a0366050b7626fbc38b4b04c8b1aab7cabb1ede2b5ff548f82978
SHA5124677ff34508d32db4cec8548664d5f4d87049e75ce997af12c00041638e05ef89bd44c091d6b5a3b9ba004e2f772b814e1054f11cbd051d57a9d902d14649373
-
Filesize
16KB
MD5cfa36834edcff331e17e91cff674c41e
SHA163b2123de252f53ace82a50f97f834e016665ef3
SHA25617c843081254422c019f8fec136fbef408d7ba1b2328fedebaf0a6201c08b108
SHA5124eb3de7f87a1df6c8792c0b8d413273b9896a50baa1da3396f8d20ae493cdca2b3ed382e6fca384f6a59851a083bd526d36da9f7ad28c00beccad84ef76819a8
-
Filesize
279KB
MD53bab4cd3fedb65e707099381bb7d225d
SHA176e890811ea0de324f9ec27ae6484033a409f3d4
SHA256a7111d757d92e47845e725ea4f6e56019a5f10797cce042e18d53a3e97c04469
SHA5125abb24d9ee4275ab8902d4a8477bba24e4b0da29b0b0e8cff7f026cc8098a3da84c0a71730cb1668ba9526ffb38bf635e2e199d2a9674b9e8d9077398367d6ee
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
2.4MB
MD51323616c7b4228edd3735c144d4632c2
SHA134c45567ebdfcfeeb9d950aa527bf3bac2709a41
SHA25696a32d13cd84073e06f1b0c27c7daf3192bbce58278fbf5c1270bcae4c0eba37
SHA512d023ba0ec57b3a80fdba972c259b60f4f3779a0d9692317e3e009507b8adf9bb66b63aa09214677dd8294750d7e8d6250722b5687fcca1e9eb7da16718c6a079
-
Filesize
1.1MB
MD508adf93a86b983edaee843e01f85fddb
SHA11647634a1bdf17e3944046992f03e52ccbbc9f7c
SHA2561ef265a69a824b0ad8781771c35265868c58e56264461d74e825ef473c57161e
SHA51260d37930bf6845cea06eaa3d7a48b97d17ff2b24cc8725814b4aae9ce2de2fd5964e690489b8e9f9126bb57b685191bb922640a4d6c123d9749845075224ae0e
-
Filesize
1.8MB
MD56c4ea5959222315f89ec2a4c31a79b42
SHA1b0e03f4bb8f6cd1e0d35abe12e6a38f500b61c08
SHA25603a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39
SHA51232697372fdde9adb6994838ff81d00b8e02d0e26ffb2feb8eaf366180bad7b7e0a22c8e92284680733ef1015b437144694793cdfc7791913b1a6f9771fe67695
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e