Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-07-2024 05:26
Static task
static1
Behavioral task
behavioral1
Sample
2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe
Resource
win10v2004-20240508-en
General
-
Target
2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe
-
Size
1.8MB
-
MD5
a5e4d4ed37b4d17d556dd8a4bc8a97cd
-
SHA1
15bc076d18b1ea36ca4e9780ee79b02ef6164e8b
-
SHA256
2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe
-
SHA512
188b905d8dac3efda35e1aec0fa2d2d85a9da6d2d7992424da16fa95f61e23fcb454d57c9b905144899786e273a69633fddb656e1afa9429e3fa9995ab0b721c
-
SSDEEP
24576:9IUWXk05n4qKU9C9yv+UYmU9UbuymJVtD2ajK8OjwKBOVdMNyu14xd+3FtR:9ICqNC9E+auL9v6aHSw82dMB14W3FtR
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
explorti.exeexplorti.exeKFCAFIIDHI.exeexplorti.exeexplorti.exe2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KFCAFIIDHI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exeexplorti.exeexplorti.exeKFCAFIIDHI.exeexplorti.exeexplorti.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KFCAFIIDHI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KFCAFIIDHI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exeexplorti.exe1f58be129f.exe591fafbca7.exeKFCAFIIDHI.exeexplorti.exeexplorti.exepid Process 1436 explorti.exe 1172 explorti.exe 3768 1f58be129f.exe 1460 591fafbca7.exe 244 KFCAFIIDHI.exe 5100 explorti.exe 700 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exeexplorti.exeexplorti.exeKFCAFIIDHI.exeexplorti.exeexplorti.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine KFCAFIIDHI.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
1f58be129f.exepid Process 3768 1f58be129f.exe 3768 1f58be129f.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/files/0x0002000000025c6e-48.dat autoit_exe -
Drops file in System32 directory 2 IoCs
Processes:
chrome.exedescription ioc Process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exeexplorti.exeexplorti.exe1f58be129f.exeKFCAFIIDHI.exeexplorti.exeexplorti.exepid Process 4048 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe 1436 explorti.exe 1172 explorti.exe 3768 1f58be129f.exe 3768 1f58be129f.exe 244 KFCAFIIDHI.exe 5100 explorti.exe 700 explorti.exe -
Drops file in Windows directory 2 IoCs
Processes:
2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exechrome.exedescription ioc Process File created C:\Windows\Tasks\explorti.job 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1f58be129f.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1f58be129f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1f58be129f.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645444314545557" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exeexplorti.exeexplorti.exe1f58be129f.exechrome.exeKFCAFIIDHI.exeexplorti.exeexplorti.exechrome.exepid Process 4048 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe 4048 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe 1436 explorti.exe 1436 explorti.exe 1172 explorti.exe 1172 explorti.exe 3768 1f58be129f.exe 3768 1f58be129f.exe 4964 chrome.exe 4964 chrome.exe 3768 1f58be129f.exe 3768 1f58be129f.exe 244 KFCAFIIDHI.exe 244 KFCAFIIDHI.exe 5100 explorti.exe 5100 explorti.exe 700 explorti.exe 700 explorti.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe 3940 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid Process 4964 chrome.exe 4964 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe Token: SeShutdownPrivilege 4964 chrome.exe Token: SeCreatePagefilePrivilege 4964 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe591fafbca7.exechrome.exepid Process 4048 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 4964 chrome.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
591fafbca7.exechrome.exepid Process 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 4964 chrome.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe 1460 591fafbca7.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
1f58be129f.execmd.exepid Process 3768 1f58be129f.exe 464 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exeexplorti.exe591fafbca7.exechrome.exedescription pid Process procid_target PID 4048 wrote to memory of 1436 4048 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe 78 PID 4048 wrote to memory of 1436 4048 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe 78 PID 4048 wrote to memory of 1436 4048 2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe 78 PID 1436 wrote to memory of 3768 1436 explorti.exe 80 PID 1436 wrote to memory of 3768 1436 explorti.exe 80 PID 1436 wrote to memory of 3768 1436 explorti.exe 80 PID 1436 wrote to memory of 1460 1436 explorti.exe 81 PID 1436 wrote to memory of 1460 1436 explorti.exe 81 PID 1436 wrote to memory of 1460 1436 explorti.exe 81 PID 1460 wrote to memory of 4964 1460 591fafbca7.exe 82 PID 1460 wrote to memory of 4964 1460 591fafbca7.exe 82 PID 4964 wrote to memory of 3624 4964 chrome.exe 85 PID 4964 wrote to memory of 3624 4964 chrome.exe 85 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2116 4964 chrome.exe 86 PID 4964 wrote to memory of 2060 4964 chrome.exe 87 PID 4964 wrote to memory of 2060 4964 chrome.exe 87 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88 PID 4964 wrote to memory of 2468 4964 chrome.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe"C:\Users\Admin\AppData\Local\Temp\2e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\1000006001\1f58be129f.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\1f58be129f.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KFCAFIIDHI.exe"4⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\KFCAFIIDHI.exe"C:\Users\Admin\AppData\Local\Temp\KFCAFIIDHI.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:244
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BFCFBFBFBK.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:464
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000007001\591fafbca7.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\591fafbca7.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8fa8cc40,0x7ffa8fa8cc4c,0x7ffa8fa8cc585⤵PID:3624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,15759991177602703350,2255419075958725567,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1808 /prefetch:25⤵PID:2116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,15759991177602703350,2255419075958725567,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2108 /prefetch:35⤵PID:2060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,15759991177602703350,2255419075958725567,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2328 /prefetch:85⤵PID:2468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,15759991177602703350,2255419075958725567,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3116 /prefetch:15⤵PID:3416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,15759991177602703350,2255419075958725567,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3288 /prefetch:15⤵PID:3784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4516,i,15759991177602703350,2255419075958725567,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4572 /prefetch:85⤵PID:4196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4512,i,15759991177602703350,2255419075958725567,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4644 /prefetch:85⤵PID:4432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4772,i,15759991177602703350,2255419075958725567,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4700 /prefetch:85⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3940
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1172
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:3140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5100
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
649B
MD5866792e1ea3c50a3715b6f6176aa5338
SHA175d36ff74f511bf72d28ff20a4a281498f67aec5
SHA2567a84e8314567992fac147fa25df1cd3b5721d21657d88463bce8fef8f1f0b0ab
SHA512191410e9f9ed95adefb076fd47aa3bfdae50712f779fd2a389528575024611dd34b78d56939ecde2b1f627d87f3d17b671bf3942120e8344f76d306ba2c7762e
-
Filesize
288B
MD57e05fc174066df169714f7bf91c91101
SHA135c60ce4ab528bc770861795a35517ca3cface00
SHA2562b9a1cc2c3575050c641c4aae90ce7a8036e2f2e629f4df15e867a95ea31390e
SHA51228ba8d76734f29c5d05e61fddf44a2dac983ccc31f72402cf82878acce2af5211ff33f97a912b360ed563514468f5cd006482c8151d83a2d6b2081ba2cd13fdc
-
Filesize
3KB
MD585e4b50ca6646e02730790334b08ce64
SHA141cc2f5a1e03eed93c5a4dbebc1bd1b135230cc5
SHA2567178d0084e2761189da7987cd5a51b194ec9dfbc3c3a02428494eb0536cbd8d0
SHA51278bc4111a72cdb708862e1cf1d1fe1bc94fc0b4ed35739ef5f4f5713963293455493283a6c3adc91ea8d732d2e4f666df16975d11046c31c0381a0cadea1583f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD53bc3677aef0830c29108defd5d916009
SHA1f5e4248a2a856f7bb60cfee101797dd690eb4444
SHA2568f558156f19db0ccb1ba3695de21ce1fe834fa227f78217b4b71b255837af262
SHA5126438c0e890de2ce20fbe2d5ba92fc7c161ba154e6bfcd69ff7e3b35dedada3420a1c5cc86ddb54ca42c7fa84302b59d66cd90457775c98cfad90b2d715fed772
-
Filesize
9KB
MD514abcc23e12e72e6307660c3d55682f3
SHA12b4ad77bfb5052cc4dc807b6801ab18ac908ca51
SHA2569fc1231283158665f167374da72710b66f8f1a5a92825d2a6717a500a716f0cf
SHA512a7efb76c2128344a8441551877832e5ba516053a2c6e1d3c91ba3fd0444c8370504a9b52e4729aa6e782cb60d594957126f311ed60d60c62b2f5f502be16cca3
-
Filesize
9KB
MD53625453aabeb5b8a4d47b5a248504e76
SHA17f4c5bdb32e170913222d1aab26914972c0e442b
SHA256d79ece3f6f1ab582ec6c7836a9a20b6fb99cad6afc9ce639f9b23e42bcc738b8
SHA512fb753ec916dd7bff24dd3495bd41ff580ebacb2d227d1b44736f9aaa6c428e87638d4aa65ccd783764ff52f5f4da6e777d0a23c7e60bed4043e62d00107f1e30
-
Filesize
9KB
MD5506b8f9bf6978034ec5fe73dbb4bf0c6
SHA19881564745efdee3e0fc5cc9421c774dc7ae142c
SHA2562347713c96a22347d485fff8e6ff39133612004cfabda77eea8655c308564772
SHA51291a188d4442716b951e08d00867eb5c0d39352c1ed44134bc77ce3d0285874824ae5c8f49b2afa8b3b37ba27c801086ba35b35bf3abd73bdcc07e8f0f20c18f2
-
Filesize
9KB
MD570c54c2cd9db39172e96bff76058a26a
SHA1bd1144c2d8c6167a7c216152fcdd9520036b98c6
SHA2565cc348cd461dda8a838bbe5d1fcd1040cfd9ac690fc8b63d26eaef1f9dd7bd09
SHA512aa1fa299fbc21d955ef3257940757cc4ad6f9c44b8971d44ae834ec498dda9fae0a551303f7d68f40092dfb2a9adc35f1718f32686a64ca3587509c43f52e168
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d658e5a5-2f8a-438f-9fc4-db4326937e05.tmp
Filesize15KB
MD5a6c8f0c39c0b03d9c002c1122b57ba14
SHA194ed4384d994c35d650080e53db2cd625b8ddfe4
SHA2562f193b4af2c6d43d7d8b968ba3647dea98e499da9facb24e63530bc11c16c374
SHA512ae9ce4bd1f5eff134bfa68bdd68921160254d5cf8896e2552655917cebdd8b740cf6aa7c9163336a083bf91a1012cc870dd2f1ce3b2aa7908678a2883227ec0b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e0ad075d-fc3f-4c45-bfff-5632a1610209.tmp
Filesize9KB
MD50d35402a3cc97e0f4cdd04da645cefe1
SHA1a0fde2562fe72ad0e1fcfe42a8a89e3eed1fe88a
SHA256d691c5a7cb14c0db53573f03f9ca8f307a38ea02495fddcb851ce3ae2ba86a4e
SHA512f18f433f256ce44338dd494a10e008442f6aa45d7afb29679173ccf3b7ee0e7abf4fc2a717a9edb4be96198d665acae9ec102eb7d63dc7192d012fe0cfcbbd58
-
Filesize
167KB
MD51bedc4e91c5af005b43e938faaec52bd
SHA1554f2daee4212ec3f49c7324499dbb1ae7870657
SHA25634376d10ebf2bdb65b22311361a89e191b417f42a06a0199b27e27bd5292a821
SHA512ccad8608ddca7fbfa001fa776db4c94b42311917b2fa84dd6a434ea28006c48152ee97d9a44df8a7942ca88d0ce068dca1dfc152fa0081d5e132beeeecae2715
-
Filesize
167KB
MD51f27b5408e1f8528854d4c181455ddb5
SHA107f66074f9bc6c6f4d5bf56d347710901357c77a
SHA256098f1f4ba9487431ae9af8b0faf56c095bd11d7f8461e65c624781712b24a8b7
SHA51264c4413d876e1204f6e8cc4fdcd2efef0575536ecb40f13bbe636aa1baf83d20f0135db71792318cfa88fcb60f04ab6aa8bf1783a41a88ede633fca066e036f1
-
Filesize
2.4MB
MD5f19adb4ea42ab4e1cfe99d50a00956e3
SHA15da5eb1c673010c0b9999c4943999696ecbcdc9d
SHA2569023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d
SHA5126583ef56e91d3fb02d75d5cdf1cfd47d543edbefd5c311f1e6ddfb800c943a4504ab0f747829a75dd98a2c8831e010504f1104d115359a3a8848b1645c57ad41
-
Filesize
1.1MB
MD5e2c5fed5716959104ff405ee1de52b50
SHA166a19705fba1695a5b282d5385eb9906d12b9cbf
SHA256d016f01ae94eca2d48e7a9070e6646e2fe0381ca7e2a6e37a8e485d8709f6fbb
SHA5129eb04dab592f70fe9a6cfd49f5eca51a62e9a1ad2ba76442248a2fadaace41a3345a9cd8ceff29352fcc744199d173fe70006b34525dfde2d5d68cdbc3b7d614
-
Filesize
1.8MB
MD5a5e4d4ed37b4d17d556dd8a4bc8a97cd
SHA115bc076d18b1ea36ca4e9780ee79b02ef6164e8b
SHA2562e52551c053b0fa2ed76a0e247f6c5d9bd7e31c4d13d0647a44ce3d7441f77fe
SHA512188b905d8dac3efda35e1aec0fa2d2d85a9da6d2d7992424da16fa95f61e23fcb454d57c9b905144899786e273a69633fddb656e1afa9429e3fa9995ab0b721c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e