Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe
Resource
win10v2004-20240508-en
General
-
Target
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe
-
Size
1.8MB
-
MD5
26d4679603dd85192173f94a939bd1ca
-
SHA1
73d299766f97ec58c3edfeb192ac2797d3577af2
-
SHA256
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4
-
SHA512
9f027f8f4df51dea06f006f7bdc4991f5012ff299f5d332668fada1fae632477cefdf9456e0531a1b9b8c02114db45fbb78d95dc3e7b9e5b6013213749bdc224
-
SSDEEP
24576:nTwmONJYU/g2bPXlyC3+7PYDf5Xbg+bwEcECZw0llI/pnJZ4WpouDwJvuQcUT9Eg:Tk2U/g2T1y0DfrFCZCpnT7UJWTLM
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exeexplorti.exeECGHCBGCBF.exeexplorti.exeexplorti.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ECGHCBGCBF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeECGHCBGCBF.exeexplorti.exeexplorti.exe449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ECGHCBGCBF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ECGHCBGCBF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exe7f8c959be2.exeb32ceff9b1.execmd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 7f8c959be2.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation b32ceff9b1.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exeb32ceff9b1.exe7f8c959be2.exeexplorti.exeECGHCBGCBF.exeexplorti.exeexplorti.exepid Process 3220 explorti.exe 2044 b32ceff9b1.exe 3268 7f8c959be2.exe 2660 explorti.exe 2356 ECGHCBGCBF.exe 2488 explorti.exe 1772 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exe449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exeexplorti.exeECGHCBGCBF.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine ECGHCBGCBF.exe -
Loads dropped DLL 2 IoCs
Processes:
b32ceff9b1.exepid Process 2044 b32ceff9b1.exe 2044 b32ceff9b1.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0007000000023410-42.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exeb32ceff9b1.exeexplorti.exeECGHCBGCBF.exeexplorti.exeexplorti.exepid Process 4608 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 3220 explorti.exe 2044 b32ceff9b1.exe 2044 b32ceff9b1.exe 2660 explorti.exe 2356 ECGHCBGCBF.exe 2488 explorti.exe 1772 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exedescription ioc Process File created C:\Windows\Tasks\explorti.job 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
b32ceff9b1.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b32ceff9b1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b32ceff9b1.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645498207687207" chrome.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exeb32ceff9b1.exechrome.exeexplorti.exeECGHCBGCBF.exeexplorti.exechrome.exeexplorti.exepid Process 4608 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 4608 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 3220 explorti.exe 3220 explorti.exe 2044 b32ceff9b1.exe 2044 b32ceff9b1.exe 2276 chrome.exe 2276 chrome.exe 2660 explorti.exe 2660 explorti.exe 2044 b32ceff9b1.exe 2044 b32ceff9b1.exe 2356 ECGHCBGCBF.exe 2356 ECGHCBGCBF.exe 2488 explorti.exe 2488 explorti.exe 4800 chrome.exe 4800 chrome.exe 1772 explorti.exe 1772 explorti.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe Token: SeShutdownPrivilege 2276 chrome.exe Token: SeCreatePagefilePrivilege 2276 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe7f8c959be2.exechrome.exepid Process 4608 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 2276 chrome.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe -
Suspicious use of SendNotifyMessage 60 IoCs
Processes:
7f8c959be2.exechrome.exepid Process 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 2276 chrome.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe 3268 7f8c959be2.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
b32ceff9b1.execmd.exepid Process 2044 b32ceff9b1.exe 2976 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exe7f8c959be2.exechrome.exedescription pid Process procid_target PID 4608 wrote to memory of 3220 4608 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 81 PID 4608 wrote to memory of 3220 4608 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 81 PID 4608 wrote to memory of 3220 4608 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 81 PID 3220 wrote to memory of 2044 3220 explorti.exe 82 PID 3220 wrote to memory of 2044 3220 explorti.exe 82 PID 3220 wrote to memory of 2044 3220 explorti.exe 82 PID 3220 wrote to memory of 3268 3220 explorti.exe 85 PID 3220 wrote to memory of 3268 3220 explorti.exe 85 PID 3220 wrote to memory of 3268 3220 explorti.exe 85 PID 3268 wrote to memory of 2276 3268 7f8c959be2.exe 86 PID 3268 wrote to memory of 2276 3268 7f8c959be2.exe 86 PID 2276 wrote to memory of 2272 2276 chrome.exe 89 PID 2276 wrote to memory of 2272 2276 chrome.exe 89 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 3248 2276 chrome.exe 91 PID 2276 wrote to memory of 4372 2276 chrome.exe 92 PID 2276 wrote to memory of 4372 2276 chrome.exe 92 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93 PID 2276 wrote to memory of 1220 2276 chrome.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe"C:\Users\Admin\AppData\Local\Temp\449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\1000006001\b32ceff9b1.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\b32ceff9b1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECGHCBGCBF.exe"4⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\ECGHCBGCBF.exe"C:\Users\Admin\AppData\Local\Temp\ECGHCBGCBF.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2356
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJEGCFBGDH.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2976
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000007001\7f8c959be2.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\7f8c959be2.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91812ab58,0x7ff91812ab68,0x7ff91812ab785⤵PID:2272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=2060,i,3284794316113043902,3971954504111644438,131072 /prefetch:25⤵PID:3248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=2060,i,3284794316113043902,3971954504111644438,131072 /prefetch:85⤵PID:4372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2080 --field-trial-handle=2060,i,3284794316113043902,3971954504111644438,131072 /prefetch:85⤵PID:1220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=2060,i,3284794316113043902,3971954504111644438,131072 /prefetch:15⤵PID:3372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=2060,i,3284794316113043902,3971954504111644438,131072 /prefetch:15⤵PID:2248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=2060,i,3284794316113043902,3971954504111644438,131072 /prefetch:15⤵PID:4312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=2060,i,3284794316113043902,3971954504111644438,131072 /prefetch:85⤵PID:1732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=2060,i,3284794316113043902,3971954504111644438,131072 /prefetch:85⤵PID:4700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=2060,i,3284794316113043902,3971954504111644438,131072 /prefetch:85⤵PID:2636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2796 --field-trial-handle=2060,i,3284794316113043902,3971954504111644438,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2660
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2488
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD5d20a87d19e82a6f66f5a505515d9f6b5
SHA18528ea5fa6c4ff57f8dcc4bdc5ad001c67a136b0
SHA25675887e1cd7fd17a4f7267daa829b84a4067ac4b13ef5eb295fc10b08db3f4c47
SHA5126f0d6ac897f652e7d834e63b1ddd28849cc314a29b3caa3d1cb44934f2a09f6f865ab913e9d917093f187256f0580a4befa795f8e5fc90b4be57c9023a7cb706
-
Filesize
2KB
MD5696e9f4756128a02cb2105693f230115
SHA179a8942857f731b10c8e152dfb0b9930616b445d
SHA256afa043859f96000b61c489f43cab6fc9271d207c41ae2f6e78e5c07b1bd9413c
SHA51208569c10daf81c4dbbc15bf39104f48aac537d92ca56afab6245f575d7d6c240e4a3b6e25a45e820b2d787da88510883a246e7e24f143e9d43528944129ddbc3
-
Filesize
2KB
MD5ca2d0515477d793ad7654522874d91a5
SHA1966d3966225b21a068cd66a0973a1cbde4870ba2
SHA2566827122076f06e9d223e72c03f7626f476bf8ea9d25271ab9eb988eca9af63f6
SHA512e51721dd9f883a734d8b0f3d77b62ca2127a2e9aea07566da17f4252a9a8c81ec1b05f07d313b03a65cc284017e8ab8b6b2fb621922d44e85b26aca0b3081ef6
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD53369b2544d954da9a7ddef4d1a14fd83
SHA1cad8bdc456bfa7a16d7f10070808159178409bf4
SHA25692880c935a100a9f1c53cf87ffe7a4c8a13a095190499796ef26822f77fb5215
SHA512beca472c4837c2551f746295fbdb5f0bb98df3e06e340e4a658977d1afef1e232f951dbf7a3474afe4f61d3b1603d9fb4664c26736825bd0f68b589e1d8ad278
-
Filesize
7KB
MD5db4459de62d9837bc779f53eb5c10fa2
SHA1ce63fab116f3b614da118b68f69abb6a7648d5c8
SHA25602e1d3d6e2c57f777639e0eb9014bdc48a07a195d6a45e8b46af34e0769ceb90
SHA51239222229b6dfddc97ad722fe5a40946739ad0b1b0005a2f2a7991195f4a4e288e2f54b2745f54009f5861fc88245f0a0686b88e35acd2c4cea8853c75844f179
-
Filesize
16KB
MD53d443bfe65687e1ccf3bc826a811f1e1
SHA146ce26c676f9f1b080bd39ec092bf20248aefebf
SHA256bafcd2f92843771ea927cdeb6c5c11c61d0b8078685ec836cfe2fd4e0cb4daaa
SHA51244da4c8dce8f06de277e6994ef3df8cbd06f9f81d4053800137659bbacd8f9a52e988cc44b82c29164827f0f9ca78e0c3682f18938e58e0a21a5076c55c09e8d
-
Filesize
270KB
MD52ed98134a634456bbb03a005f615eebb
SHA1cdcebdd7b317c9234d4f9812de570c2bf5a49fa6
SHA256ac8e66f429b99b64c605de99c5cc9763bc2889952e643d47d63fbf1480e0a3bf
SHA5126cca34ed2da14bb5c4f0a0880b0e12b8830d2b495fd47b49c7212dd2d2b54699460c8d54b8025f5c8951f93eeca6dc82507a7c014923c1b8d05ca5e13b36fb7b
-
Filesize
2.4MB
MD5f19adb4ea42ab4e1cfe99d50a00956e3
SHA15da5eb1c673010c0b9999c4943999696ecbcdc9d
SHA2569023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d
SHA5126583ef56e91d3fb02d75d5cdf1cfd47d543edbefd5c311f1e6ddfb800c943a4504ab0f747829a75dd98a2c8831e010504f1104d115359a3a8848b1645c57ad41
-
Filesize
1.1MB
MD5774c675ca5538a3aecbb5248e2c309b1
SHA101bee062047192fae4a1cafadc1cac61c825473c
SHA256e35b613792fa2b43be28182c09cfa9e4b4cafc92cc48adb8c03c77ad656eab63
SHA5127fedbe5ed8948844dd8f3fa719d6a210a82cf6d5cdda9fb42b0a1925ca9eb8efaadd77b429fe97181795c7eff16cbfaf2889c26074e5ea36975398051ed0383f
-
Filesize
1.8MB
MD526d4679603dd85192173f94a939bd1ca
SHA173d299766f97ec58c3edfeb192ac2797d3577af2
SHA256449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4
SHA5129f027f8f4df51dea06f006f7bdc4991f5012ff299f5d332668fada1fae632477cefdf9456e0531a1b9b8c02114db45fbb78d95dc3e7b9e5b6013213749bdc224
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e