Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe
Resource
win7-20240611-en
General
-
Target
bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe
-
Size
2.4MB
-
MD5
f7f2373c7005d9978782be75bef6a1c4
-
SHA1
24523818e79c6ccc38c90de912743552e98be2be
-
SHA256
bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13
-
SHA512
26e4a9ba65207c91dd181c5010d051838d6172dcbfc165aa750cbe72297dde0b0c0e54b024a6cba070089f3ac5f943d67ba779ee64f78a8f37b425f274f607d8
-
SSDEEP
49152:IK08+UO8Ajkw2s5uNuuiV/0H31F7AqxxJ/PgWAOEIm9B1:/V+UTwDl5eiGXPNxxJQxIm
Malware Config
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
EBKJDBAAKJ.exeexplorti.exeexplorti.exeexplorti.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EBKJDBAAKJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeEBKJDBAAKJ.exeexplorti.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EBKJDBAAKJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EBKJDBAAKJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
EBKJDBAAKJ.exeexplorti.exe880f763fff.exebf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.execmd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation EBKJDBAAKJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 880f763fff.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 5 IoCs
Processes:
EBKJDBAAKJ.exeexplorti.exe880f763fff.exeexplorti.exeexplorti.exepid Process 4528 EBKJDBAAKJ.exe 644 explorti.exe 1940 880f763fff.exe 2384 explorti.exe 4224 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
EBKJDBAAKJ.exeexplorti.exeexplorti.exeexplorti.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine EBKJDBAAKJ.exe Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exepid Process 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/files/0x0007000000023489-101.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exeEBKJDBAAKJ.exeexplorti.exeexplorti.exeexplorti.exepid Process 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 4528 EBKJDBAAKJ.exe 644 explorti.exe 2384 explorti.exe 4224 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
EBKJDBAAKJ.exedescription ioc Process File created C:\Windows\Tasks\explorti.job EBKJDBAAKJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645318674119875" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exeEBKJDBAAKJ.exeexplorti.exechrome.exeexplorti.exeexplorti.exechrome.exepid Process 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 4528 EBKJDBAAKJ.exe 4528 EBKJDBAAKJ.exe 644 explorti.exe 644 explorti.exe 3424 chrome.exe 3424 chrome.exe 2384 explorti.exe 2384 explorti.exe 4224 explorti.exe 4224 explorti.exe 424 chrome.exe 424 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe Token: SeShutdownPrivilege 3424 chrome.exe Token: SeCreatePagefilePrivilege 3424 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
EBKJDBAAKJ.exe880f763fff.exechrome.exepid Process 4528 EBKJDBAAKJ.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 1940 880f763fff.exe 1940 880f763fff.exe 3424 chrome.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe -
Suspicious use of SendNotifyMessage 60 IoCs
Processes:
880f763fff.exechrome.exepid Process 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 3424 chrome.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe 1940 880f763fff.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.execmd.exepid Process 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 528 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.execmd.exeEBKJDBAAKJ.exeexplorti.exe880f763fff.exechrome.exedescription pid Process procid_target PID 3112 wrote to memory of 3960 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 92 PID 3112 wrote to memory of 3960 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 92 PID 3112 wrote to memory of 3960 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 92 PID 3112 wrote to memory of 528 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 94 PID 3112 wrote to memory of 528 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 94 PID 3112 wrote to memory of 528 3112 bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe 94 PID 3960 wrote to memory of 4528 3960 cmd.exe 96 PID 3960 wrote to memory of 4528 3960 cmd.exe 96 PID 3960 wrote to memory of 4528 3960 cmd.exe 96 PID 4528 wrote to memory of 644 4528 EBKJDBAAKJ.exe 99 PID 4528 wrote to memory of 644 4528 EBKJDBAAKJ.exe 99 PID 4528 wrote to memory of 644 4528 EBKJDBAAKJ.exe 99 PID 644 wrote to memory of 1940 644 explorti.exe 100 PID 644 wrote to memory of 1940 644 explorti.exe 100 PID 644 wrote to memory of 1940 644 explorti.exe 100 PID 1940 wrote to memory of 3424 1940 880f763fff.exe 101 PID 1940 wrote to memory of 3424 1940 880f763fff.exe 101 PID 3424 wrote to memory of 540 3424 chrome.exe 103 PID 3424 wrote to memory of 540 3424 chrome.exe 103 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 1616 3424 chrome.exe 104 PID 3424 wrote to memory of 4092 3424 chrome.exe 105 PID 3424 wrote to memory of 4092 3424 chrome.exe 105 PID 3424 wrote to memory of 3820 3424 chrome.exe 106 PID 3424 wrote to memory of 3820 3424 chrome.exe 106 PID 3424 wrote to memory of 3820 3424 chrome.exe 106 PID 3424 wrote to memory of 3820 3424 chrome.exe 106 PID 3424 wrote to memory of 3820 3424 chrome.exe 106 PID 3424 wrote to memory of 3820 3424 chrome.exe 106 PID 3424 wrote to memory of 3820 3424 chrome.exe 106 PID 3424 wrote to memory of 3820 3424 chrome.exe 106 PID 3424 wrote to memory of 3820 3424 chrome.exe 106 PID 3424 wrote to memory of 3820 3424 chrome.exe 106 PID 3424 wrote to memory of 3820 3424 chrome.exe 106 PID 3424 wrote to memory of 3820 3424 chrome.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe"C:\Users\Admin\AppData\Local\Temp\bf5ba13df7f7549e987f77091823fd0f77ba7fd4514000e60ad9a4c28f949c13.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe"C:\Users\Admin\AppData\Local\Temp\EBKJDBAAKJ.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\1000007001\880f763fff.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\880f763fff.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account6⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0a78ab58,0x7ffe0a78ab68,0x7ffe0a78ab787⤵PID:540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:27⤵PID:1616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:87⤵PID:4092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:87⤵PID:3820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:17⤵PID:3672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:17⤵PID:4140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4308 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:17⤵PID:4244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:87⤵PID:4332
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:87⤵PID:5056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:87⤵PID:1456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2352 --field-trial-handle=1912,i,2467652216331737151,11400500316938559479,131072 /prefetch:27⤵
- Suspicious behavior: EnumeratesProcesses
PID:424
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:528
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2384
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD5cb5a4ae6cc9cf7f736f00e55ef7044c7
SHA1bf92de411a04a4148a1cf0e8253ded4420d5b418
SHA25623ab3c6fde2170d0123eb4278cfbe6780dfcc9b76aa60d08805b146e4adf0ecf
SHA512b1cd498ff589563586367bcb5f15824012425f1e1ca7249e7badba2d9a89a80f00ffd97436fd05c2d53733ac8819955e211e9130da1c7e96a4944b7253fffbb4
-
Filesize
3KB
MD534769a0083e4a61dd67f277e044cb238
SHA14bff89cd589e4be3b8dceac27e9a2762ab1a6b99
SHA2567c3929467308d618c57b0633f03d6caf776045ed66c06faa88c3a52c4bac256d
SHA51235a4ec9763359f0668bdfacfc860e43caf2ca22bbd36bab3dcdc2d38da00f26c915600dae23a648c8d3e90b90b01b1fe48e8fed723501b7434cef4e2c1f0ba59
-
Filesize
2KB
MD5fcdf2f610dd6641766d3c30dd679e200
SHA1d6c6bd9297da145d599f8e0175577033718b8317
SHA25689609d26f4aca4c29e62634476e732ef3fb25f9b1566f30adae6115f601c85a9
SHA51266cda3df354cfa03dfefd84a32c4163413f2aeb8f3cc3ca1e36de3f51a0e4e7bb17f894163f92d717d60dc78e5eb2719cc2112869dfe8c995afefacb69d3e17c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
688B
MD5bfa302c0eb8a63b0f6b0604ed1763b78
SHA1aa7f8bb27fe6d12c4415fe9e5ec0ac4dc02d5222
SHA2564c1b9602fb529c2d99048c3e8f307a7993dbfeafe783c5758b75f2b5719749a5
SHA512c54f22ca060e76790bf84770f22207f1ece14e03e381ca8b1ff9ef8e3639f013c9bb5f19b780ed860c29b4e94028ff06caf07a6e0b97901d435c644be3bd4f95
-
Filesize
7KB
MD5b93e5423faf80e4de9793c37cad04d79
SHA107450dc8375d47b7759e39b115d7304ab39fbb60
SHA2560919504ac9409aff83d2d9a5aeb86c9b9bbed18405e2b6eec309824ee24d3a16
SHA512ba70b6e3c8d5103c7cb756ce011b3ae9871492f3e0696b43f4be7a5248695804d4f40c157ceca5f38bf250e88b0227974803b8c2aa302bfe41148a5771e3026f
-
Filesize
16KB
MD5b83ab8270ae8b955e0ea40b85832ee37
SHA161f29fe9bdde7ad6545b7ba8cdac1e60a61f702f
SHA256a8c308f61397477cc83873e89fa2db72da7ceb712d54f1abcc035e97f7217689
SHA5124b5c1c2dca90c833c74e4fc599992cc97d42c20665e8eedeba4ac615e302aa1ad58605e0588779d870cf30e3bdf4f60a04427a2da1e1a7327106b141198086f5
-
Filesize
279KB
MD5a9e37c21cc0ca548b2b8394f39605d1d
SHA1b40cc6cc071f857d1c343a4ade50876a800f7842
SHA2560faf59614fea47c7a33c74f352ccea10cda4fb8cbe4a68c9678161f5d108b7ed
SHA51238b6bc5088287c43d4f545467b7c5aeac43a1a7e91b11e88e699f5dff86c292c32690cdb6173c48372b5e09d27e4922bb15b1b9e29cea7835daf843f2e4bff91
-
Filesize
1.1MB
MD508adf93a86b983edaee843e01f85fddb
SHA11647634a1bdf17e3944046992f03e52ccbbc9f7c
SHA2561ef265a69a824b0ad8781771c35265868c58e56264461d74e825ef473c57161e
SHA51260d37930bf6845cea06eaa3d7a48b97d17ff2b24cc8725814b4aae9ce2de2fd5964e690489b8e9f9126bb57b685191bb922640a4d6c123d9749845075224ae0e
-
Filesize
1.8MB
MD56c4ea5959222315f89ec2a4c31a79b42
SHA1b0e03f4bb8f6cd1e0d35abe12e6a38f500b61c08
SHA25603a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39
SHA51232697372fdde9adb6994838ff81d00b8e02d0e26ffb2feb8eaf366180bad7b7e0a22c8e92284680733ef1015b437144694793cdfc7791913b1a6f9771fe67695
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e