Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 02:51
Static task
static1
Behavioral task
behavioral1
Sample
2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe
Resource
win10v2004-20240508-en
General
-
Target
2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe
-
Size
1.8MB
-
MD5
2ac3e8f24180b56fe14ea9dc6b4af66b
-
SHA1
dc6cdaa3e97935af94155e592b08c4300690a0a6
-
SHA256
2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4
-
SHA512
79e17520bce4698bc134cbeafe20fac0b9c4439381c573ae1402e39c702a3f6150f05febfdefe978fb6055993e744d2061f6fbffec170c856d31610ac71a0635
-
SSDEEP
49152:4rUPun14hSdN9aofCPip3tyivFRT0e6oV9Mqf:KnEK15FRnJV9M
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
explorti.exeexplorti.exe2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exeexplorti.exeIIEHJEHDBG.exeexplorti.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IIEHJEHDBG.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exe2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exeIIEHJEHDBG.exeexplorti.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IIEHJEHDBG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IIEHJEHDBG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exeexplorti.exeda4705ce46.exebc4b0cf058.execmd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation da4705ce46.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation bc4b0cf058.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exebc4b0cf058.exeda4705ce46.exeIIEHJEHDBG.exeexplorti.exeexplorti.exeexplorti.exepid Process 2368 explorti.exe 2264 bc4b0cf058.exe 2796 da4705ce46.exe 5572 IIEHJEHDBG.exe 5936 explorti.exe 5672 explorti.exe 2464 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exe2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exeexplorti.exeIIEHJEHDBG.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine IIEHJEHDBG.exe -
Loads dropped DLL 2 IoCs
Processes:
bc4b0cf058.exepid Process 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0007000000023602-41.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exeexplorti.exebc4b0cf058.exeIIEHJEHDBG.exeexplorti.exeexplorti.exeexplorti.exepid Process 2988 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe 2368 explorti.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 5572 IIEHJEHDBG.exe 5936 explorti.exe 5672 explorti.exe 2464 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exedescription ioc Process File created C:\Windows\Tasks\explorti.job 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bc4b0cf058.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bc4b0cf058.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bc4b0cf058.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645351085149289" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrome.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exeexplorti.exebc4b0cf058.exechrome.exeIIEHJEHDBG.exeexplorti.exeexplorti.exechrome.exeexplorti.exepid Process 2988 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe 2988 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe 2368 explorti.exe 2368 explorti.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 1988 chrome.exe 1988 chrome.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 2264 bc4b0cf058.exe 5572 IIEHJEHDBG.exe 5572 IIEHJEHDBG.exe 5936 explorti.exe 5936 explorti.exe 5672 explorti.exe 5672 explorti.exe 3548 chrome.exe 3548 chrome.exe 2464 explorti.exe 2464 explorti.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe Token: SeShutdownPrivilege 1988 chrome.exe Token: SeCreatePagefilePrivilege 1988 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exeda4705ce46.exechrome.exepid Process 2988 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 1988 chrome.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe -
Suspicious use of SendNotifyMessage 60 IoCs
Processes:
da4705ce46.exechrome.exepid Process 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 1988 chrome.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe 2796 da4705ce46.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
bc4b0cf058.execmd.exepid Process 2264 bc4b0cf058.exe 5516 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exeexplorti.exeda4705ce46.exechrome.exedescription pid Process procid_target PID 2988 wrote to memory of 2368 2988 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe 88 PID 2988 wrote to memory of 2368 2988 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe 88 PID 2988 wrote to memory of 2368 2988 2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe 88 PID 2368 wrote to memory of 2264 2368 explorti.exe 94 PID 2368 wrote to memory of 2264 2368 explorti.exe 94 PID 2368 wrote to memory of 2264 2368 explorti.exe 94 PID 2368 wrote to memory of 2796 2368 explorti.exe 96 PID 2368 wrote to memory of 2796 2368 explorti.exe 96 PID 2368 wrote to memory of 2796 2368 explorti.exe 96 PID 2796 wrote to memory of 1988 2796 da4705ce46.exe 97 PID 2796 wrote to memory of 1988 2796 da4705ce46.exe 97 PID 1988 wrote to memory of 4980 1988 chrome.exe 99 PID 1988 wrote to memory of 4980 1988 chrome.exe 99 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 2376 1988 chrome.exe 100 PID 1988 wrote to memory of 3004 1988 chrome.exe 101 PID 1988 wrote to memory of 3004 1988 chrome.exe 101 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102 PID 1988 wrote to memory of 4344 1988 chrome.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe"C:\Users\Admin\AppData\Local\Temp\2e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\1000006001\bc4b0cf058.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\bc4b0cf058.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIEHJEHDBG.exe"4⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\IIEHJEHDBG.exe"C:\Users\Admin\AppData\Local\Temp\IIEHJEHDBG.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIEHIDHJDB.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5516
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000007001\da4705ce46.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\da4705ce46.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb4085ab58,0x7ffb4085ab68,0x7ffb4085ab785⤵PID:4980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1876,i,11821960818876604672,1497286013531250687,131072 /prefetch:25⤵PID:2376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1876,i,11821960818876604672,1497286013531250687,131072 /prefetch:85⤵PID:3004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1876,i,11821960818876604672,1497286013531250687,131072 /prefetch:85⤵PID:4344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1876,i,11821960818876604672,1497286013531250687,131072 /prefetch:15⤵PID:924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1876,i,11821960818876604672,1497286013531250687,131072 /prefetch:15⤵PID:1972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3928 --field-trial-handle=1876,i,11821960818876604672,1497286013531250687,131072 /prefetch:15⤵PID:1536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 --field-trial-handle=1876,i,11821960818876604672,1497286013531250687,131072 /prefetch:85⤵PID:5136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1876,i,11821960818876604672,1497286013531250687,131072 /prefetch:85⤵PID:5156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1876,i,11821960818876604672,1497286013531250687,131072 /prefetch:85⤵PID:5256
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1876,i,11821960818876604672,1497286013531250687,131072 /prefetch:85⤵
- Modifies registry class
PID:4812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=876 --field-trial-handle=1876,i,11821960818876604672,1497286013531250687,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3548
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:81⤵PID:1040
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1656
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2972,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=2380 /prefetch:31⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5936
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5672
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD5fd1a7988c48378f0b97fad97d9bb7fe6
SHA112097c69980ee58728b43b924421de01d8911ce1
SHA25693035af17a85661b0bcb2c5781d855b02f0be03781718b8446b2a7623600619f
SHA512ae65367e9dfa829330e7008a2347e2e1894b93d2cf2fa4cfcc71ff329148998b189b537da1d9ba425bf84e00b5d63d081205e347e931551532a0ed89ba6868fe
-
Filesize
2KB
MD502a389e50096d563ef145a77ae6e67f1
SHA113eb06661355758f1f423d600b10476163ec4145
SHA2568e60432be16960d78c26895e9cf2573821edf24b4b15d2b26cc25072fb52da36
SHA512dc78e608e6c77c0acf92148e7282f628a4b87c2943509dad212a676c02bf1f171286a8f0a20ccc080d152be7865e132f000f1a1017645dfea5d42e6b7bccee72
-
Filesize
2KB
MD55eea736090becdb966669e38748b8201
SHA1dc7c2b39f47d2446d48a3ee4afe97c390da8343e
SHA256d82cad0dbb0d8b59cfdfa7084db7b0302a3cea1c2fa03fd39b5a193cc0fd0f22
SHA512cb800e4f62c9dc62165b469ac3d417d2c9079c1ced8b46191739a0c7cea182eb48abda660782b48b556d9fd78704dcc1b16243dbe4ee9ec9397302b6f646b19e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD58eed112230f56367c82d8da883f360ac
SHA183edefd86dd0f7e4a9c06ad3051f57da59d01550
SHA2560f0475a5c93db3273fbaf80743c05a00858d44165b065fd144c15965d037994e
SHA5120868979c005e295a7867d183bbfeaeb8a7563904739c1c5b348418bcd1f611aa9503561df7fa874bbcc1487fcf37c2dcf925f7a7691e5cd9cf277355e0de9708
-
Filesize
7KB
MD5c6dd43685068a5b3e185288c0f439ca8
SHA1855f18321885954f16f86e2919f140d8db3cc687
SHA2564e87d44acace82967184431674041d901e21b8ffe7e7bc9338bd4fef0f8d02b0
SHA512440b6014bd40095d8b65f154f7087ae22653181aff1ae6bfa335876d71b0dbd5798480bef38232f47c9cfad0a4be5289644a496eeef2756510d0bff11d6a7f80
-
Filesize
16KB
MD59e7664893ea1079288d226bc1dd692c0
SHA1d92868ee91b431a703a579789c49ca42aac0d6d9
SHA256a77a6d43bd309a324b7c6e11b0668673d7a785768e0bb5945920d8c18a9c2273
SHA512906e938b11a2b77ed7200589ec4219826df2828755d0dcf82a55d3b3bd05128ef9192756308a431bb580bcc7298128d9933d9a0ec1e5904e1157d32bc933a12e
-
Filesize
270KB
MD571eae545ce615768721e1de47b2196e6
SHA151bf9f3a30405e46c568e44da32dc4ff32a74a72
SHA2566f57bab480aff0d7439f98d071ee7cfea920ccf36dc1f9ee6c3f59d692f2d456
SHA5122ee198e42efff51c8d8cd7ff4f092003bc7c057133443801c9e9601e390d651ddd588487800b4794f48616c1abee205b01ee8db9181c991f293aa61e143befb2
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
2.4MB
MD51323616c7b4228edd3735c144d4632c2
SHA134c45567ebdfcfeeb9d950aa527bf3bac2709a41
SHA25696a32d13cd84073e06f1b0c27c7daf3192bbce58278fbf5c1270bcae4c0eba37
SHA512d023ba0ec57b3a80fdba972c259b60f4f3779a0d9692317e3e009507b8adf9bb66b63aa09214677dd8294750d7e8d6250722b5687fcca1e9eb7da16718c6a079
-
Filesize
1.1MB
MD51b4355374193536eb30ae594e235dcc3
SHA1cabe5f6b6d5cb35548b224c70f89cd4176e2fe25
SHA2568620e0983a4ae6d7272c07285847068b6ddaa520fadca5061268bcfd30931597
SHA512f93a080f75f429065982413418365178c760a0cb0c9bf79441d38d767366f5d1d81bc9581ee448eead38d4e9b37ecc442893ee5eaccdc59f03c297da3e8dd3cc
-
Filesize
1.8MB
MD52ac3e8f24180b56fe14ea9dc6b4af66b
SHA1dc6cdaa3e97935af94155e592b08c4300690a0a6
SHA2562e40bb2644549ca572832cf5fd7f2ce1bbaa31ac271f794662dbd32ffa48b2d4
SHA51279e17520bce4698bc134cbeafe20fac0b9c4439381c573ae1402e39c702a3f6150f05febfdefe978fb6055993e744d2061f6fbffec170c856d31610ac71a0635
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e