Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-07-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe
Resource
win10v2004-20240508-en
General
-
Target
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe
-
Size
1.8MB
-
MD5
26d4679603dd85192173f94a939bd1ca
-
SHA1
73d299766f97ec58c3edfeb192ac2797d3577af2
-
SHA256
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4
-
SHA512
9f027f8f4df51dea06f006f7bdc4991f5012ff299f5d332668fada1fae632477cefdf9456e0531a1b9b8c02114db45fbb78d95dc3e7b9e5b6013213749bdc224
-
SSDEEP
24576:nTwmONJYU/g2bPXlyC3+7PYDf5Xbg+bwEcECZw0llI/pnJZ4WpouDwJvuQcUT9Eg:Tk2U/g2T1y0DfrFCZCpnT7UJWTLM
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
explorti.exeFCFBFHIEBK.exeKKEHIEBKJK.exeexplorti.exeexplorti.exe449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FCFBFHIEBK.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KKEHIEBKJK.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeKKEHIEBKJK.exeFCFBFHIEBK.exeexplorti.exe449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exeexplorti.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KKEHIEBKJK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FCFBFHIEBK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FCFBFHIEBK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KKEHIEBKJK.exe -
Executes dropped EXE 8 IoCs
Processes:
explorti.exeexplorti.exe850b78662d.exe9a17682219.exeFCFBFHIEBK.exeKKEHIEBKJK.exeexplorti.exeexplorti.exepid Process 3880 explorti.exe 2668 explorti.exe 2492 850b78662d.exe 900 9a17682219.exe 692 FCFBFHIEBK.exe 1904 KKEHIEBKJK.exe 1508 explorti.exe 1608 explorti.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeFCFBFHIEBK.exeKKEHIEBKJK.exeexplorti.exeexplorti.exe449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine FCFBFHIEBK.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine KKEHIEBKJK.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
850b78662d.exepid Process 2492 850b78662d.exe 2492 850b78662d.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/files/0x0002000000025c6e-65.dat autoit_exe -
Drops file in System32 directory 2 IoCs
Processes:
chrome.exedescription ioc Process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exeexplorti.exe850b78662d.exeFCFBFHIEBK.exeKKEHIEBKJK.exeexplorti.exeexplorti.exepid Process 1212 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 3880 explorti.exe 2668 explorti.exe 2492 850b78662d.exe 2492 850b78662d.exe 692 FCFBFHIEBK.exe 1904 KKEHIEBKJK.exe 1508 explorti.exe 1608 explorti.exe -
Drops file in Windows directory 2 IoCs
Processes:
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exechrome.exedescription ioc Process File created C:\Windows\Tasks\explorti.job 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
850b78662d.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 850b78662d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 850b78662d.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645498302601378" chrome.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exeexplorti.exe850b78662d.exechrome.exeFCFBFHIEBK.exeKKEHIEBKJK.exeexplorti.exeexplorti.exechrome.exepid Process 1212 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 1212 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 3880 explorti.exe 3880 explorti.exe 2668 explorti.exe 2668 explorti.exe 2492 850b78662d.exe 2492 850b78662d.exe 1528 chrome.exe 1528 chrome.exe 2492 850b78662d.exe 2492 850b78662d.exe 692 FCFBFHIEBK.exe 692 FCFBFHIEBK.exe 1904 KKEHIEBKJK.exe 1904 KKEHIEBKJK.exe 1508 explorti.exe 1508 explorti.exe 1608 explorti.exe 1608 explorti.exe 3724 chrome.exe 3724 chrome.exe 3724 chrome.exe 3724 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid Process 1528 chrome.exe 1528 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
Processes:
9a17682219.exechrome.exepid Process 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 900 9a17682219.exe 900 9a17682219.exe 1528 chrome.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
9a17682219.exechrome.exepid Process 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe 900 9a17682219.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
850b78662d.exepid Process 2492 850b78662d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exeexplorti.exe9a17682219.exechrome.exedescription pid Process procid_target PID 1212 wrote to memory of 3880 1212 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 77 PID 1212 wrote to memory of 3880 1212 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 77 PID 1212 wrote to memory of 3880 1212 449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe 77 PID 3880 wrote to memory of 2492 3880 explorti.exe 79 PID 3880 wrote to memory of 2492 3880 explorti.exe 79 PID 3880 wrote to memory of 2492 3880 explorti.exe 79 PID 3880 wrote to memory of 900 3880 explorti.exe 80 PID 3880 wrote to memory of 900 3880 explorti.exe 80 PID 3880 wrote to memory of 900 3880 explorti.exe 80 PID 900 wrote to memory of 1528 900 9a17682219.exe 81 PID 900 wrote to memory of 1528 900 9a17682219.exe 81 PID 1528 wrote to memory of 4816 1528 chrome.exe 84 PID 1528 wrote to memory of 4816 1528 chrome.exe 84 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 5096 1528 chrome.exe 85 PID 1528 wrote to memory of 1048 1528 chrome.exe 86 PID 1528 wrote to memory of 1048 1528 chrome.exe 86 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87 PID 1528 wrote to memory of 708 1528 chrome.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe"C:\Users\Admin\AppData\Local\Temp\449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\1000006001\850b78662d.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\850b78662d.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCFBFHIEBK.exe"4⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\FCFBFHIEBK.exe"C:\Users\Admin\AppData\Local\Temp\FCFBFHIEBK.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKEHIEBKJK.exe"4⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\KKEHIEBKJK.exe"C:\Users\Admin\AppData\Local\Temp\KKEHIEBKJK.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000007001\9a17682219.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\9a17682219.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb47dacc40,0x7ffb47dacc4c,0x7ffb47dacc585⤵PID:4816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,3285341175936794900,14212981493068908487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1864 /prefetch:25⤵PID:5096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,3285341175936794900,14212981493068908487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2044 /prefetch:35⤵PID:1048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,3285341175936794900,14212981493068908487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2420 /prefetch:85⤵PID:708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,3285341175936794900,14212981493068908487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3152 /prefetch:15⤵PID:2992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,3285341175936794900,14212981493068908487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3204 /prefetch:15⤵PID:3400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4488,i,3285341175936794900,14212981493068908487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4396 /prefetch:85⤵PID:2520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,3285341175936794900,14212981493068908487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4640 /prefetch:85⤵PID:4696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4292,i,3285341175936794900,14212981493068908487,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=868 /prefetch:85⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3724
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2668
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:1904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1508
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
649B
MD50a15ff9f45a4e36703886c77fd2ee4ff
SHA11205e92a3b005c8ef0379fca7161dd882ad2820b
SHA256d93f6641b06a94643ee8f08a6b18819eabe83ccce5949b26ab7a8336f18d6d8a
SHA512516eb97b32140975ac2e247561a39682386c77d0df519c7992199da2510100a49bedbf1527d367d6e981aa0a1d8abdbfaec1bd001dae5abe9b7bed0fe4f03739
-
Filesize
264B
MD58db03a422675619a417240a7a385f94c
SHA10e3f6c02a03c29efbffd06bfbacfad0b3accbaf3
SHA2560bb03020f47584144bba22595972f87d5a4c4ef01fb193c1c3c442b4bcdcbbaa
SHA512da16761349eb1ea65fc884884b61bc0b8c9d9f076dc1d6eca8a5f7f8ada97280cd3f8a85637de991b7e37618d48f5355a3ce60950783f67ac07b69b66803d58e
-
Filesize
3KB
MD556cfafaccc512d6e11a4e8ca6fdb2afd
SHA146cd87de9f6452ec77e4e7fc0e38b260696675a8
SHA25612d09a45fdb4713508280052fca9219309d6eff7d14d03a7000b76ea22ebcf8a
SHA5123faa42b1bd00c1baf93176ae32e001aa0e9629acccaf8f880284919e3c14216d7964e50f933219f06486154ad833907b35cacf2b739b0d16a03aca09cbd5baa3
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD58e7a1bbd7d449c846dd6c9b149c69bee
SHA186823735c0da8795dc80901e043c9380c756ec5a
SHA256d81bd7476fba0dfa65894d6dbfe2851804bb4af5fefbb2a77e8ecb69af70501f
SHA51291003a12ca81417abd8a64ead68db00a71a6d8898691b6f8315b3d7ccdd441d2d5dc8e915c0be5919dd49fcde8178bf7d6f1ad1ebb177e4371b1af25c9027f4a
-
Filesize
9KB
MD557976cc1d2b195a7358d6d363e8e692d
SHA119727389ed3416482904831d2efb03db11337a6a
SHA2563b4666d9fae94b2f4bb2b004f736a2985080c69882d94953e54f50eb75a6bbba
SHA5121722381f20ae65fafe1a3f528311c0ca15fcaceb775fab03a553e1367047937f257c418a2a2d2ede49386385bdf4eff1c04aa00ef094ad03e663a8dca0180d7d
-
Filesize
9KB
MD5084a26a4dfbc7511463dbb6c4e32bc1f
SHA19209eca046f7ac602269f72dc615246328120a26
SHA256477dc59870a1b7b70063d666c43cc107b0f785bdcd619b09cfcf5868e80c1271
SHA512606c4ed83320755e33e5490e6af1bab213e493d23c9e1ae819568bf3b62deeec74b745946c2ccb4c4d1324ef6a2fe5c4b8aa4a05e0e1b22179d94f17a3512502
-
Filesize
9KB
MD5cfe9aa3a5c5b9c210e107e882084a4e0
SHA13fa63f1a7043bfb85386bf5731f5c4b30261a83f
SHA256833c91cfb74c530c5207897341cee8957a74c13f61eb390493479a126be67bed
SHA512f9962c73ebd47a62ae8bc4106cdec279e169ce8f07f1c1d0b98f0a4698938e6388ab1b1d03df8565595c92f06151e8d8b3dcd80989890e52def21390038b070c
-
Filesize
9KB
MD5b0974b1bc85e088ff744d428d84717dd
SHA1ccc6c92d57cd64cd261f73168a693f1be045a4df
SHA256970232ec368e358c16fa9b78b6934e52fcfc0339698b5b3038c8d827639a93f0
SHA5129621de248d9c5694cec3d16d7d7bac83a5cb87c7db6a11da8e9c2b5640a69b5a573e55b49cf119033c7844e366804b8f9b5df39b205e75d409a14fd6021f5341
-
Filesize
9KB
MD5c0ecbd996f2836c4c6db6bf8ba9392ee
SHA1f704bb6774f02b02b5901d81377d2d9f7ed7a151
SHA25694cd40dbb15b92175cdf984be089f9d63c4505f3168e55780d6377b732d4e1f4
SHA51249aea3a3dce067a3f04bb6a2da01388ae3c3c4bd52925273b92adc24ba581ba2c509a179e6fe3fd4c021837bb1bc4701d0f591db2c2ec6e15eeae08d2d05dee8
-
Filesize
15KB
MD55da52768c74972b385f7f3d3cc62df5c
SHA185603070e276d788fbb3b4c709ffb755c73a0851
SHA256452521c2eee07829ace3ed90a143ca6d8d8c1063c8468bbee4ac28e1e8fdae79
SHA5128190b7af9b7f515c6fcf0f4d4666648c826b23502309987eb8c53876358903fbbab89e827a1b2192120f934dbbc9a3be8aace0ace08936b3750aba19ed9400de
-
Filesize
167KB
MD5c980d79aa5c3dcb715974c9152a4cc55
SHA18dac22684e40419249a9d78a5336408f249ea2df
SHA2569d34f80e483e83f97b28971a14f8329f68aaf9afac6db1fc8386aac4be55c20d
SHA512a5d523de70a168875cf83b0573a61b045c740df9ad318d7bfc793acb90c18a3410c54ce94b560ca2a7a58da981512e8211ddde32f99e6f7b6be3ca0c44058ae0
-
Filesize
167KB
MD53eaf97453524313160dbd1f5222d490d
SHA12215e83d146e6efd13b065da163f8ac44b66ed11
SHA2564cbfa928a22334925b271ddf60844cd5555af2054bac74292c3a44043d02e866
SHA512d69a8fd28e4f7522c4f3c0b7ba58fa4051d7b91a191fee653395472fd9a20195081b28cba016803557fb52b4dad1680a19555e34d48c3f7f61398ba2c727a72b
-
Filesize
2.4MB
MD5f19adb4ea42ab4e1cfe99d50a00956e3
SHA15da5eb1c673010c0b9999c4943999696ecbcdc9d
SHA2569023777f5529c209b55ac61d14e2a7f978491d14df51268b49d947010f46376d
SHA5126583ef56e91d3fb02d75d5cdf1cfd47d543edbefd5c311f1e6ddfb800c943a4504ab0f747829a75dd98a2c8831e010504f1104d115359a3a8848b1645c57ad41
-
Filesize
1.1MB
MD5774c675ca5538a3aecbb5248e2c309b1
SHA101bee062047192fae4a1cafadc1cac61c825473c
SHA256e35b613792fa2b43be28182c09cfa9e4b4cafc92cc48adb8c03c77ad656eab63
SHA5127fedbe5ed8948844dd8f3fa719d6a210a82cf6d5cdda9fb42b0a1925ca9eb8efaadd77b429fe97181795c7eff16cbfaf2889c26074e5ea36975398051ed0383f
-
Filesize
1.8MB
MD526d4679603dd85192173f94a939bd1ca
SHA173d299766f97ec58c3edfeb192ac2797d3577af2
SHA256449c2da89ec70f128e883513c328533a2f938ac5194c68ff5253c65256fb4ce4
SHA5129f027f8f4df51dea06f006f7bdc4991f5012ff299f5d332668fada1fae632477cefdf9456e0531a1b9b8c02114db45fbb78d95dc3e7b9e5b6013213749bdc224
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e