Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-07-2024 07:51
Static task
static1
Behavioral task
behavioral1
Sample
a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe
Resource
win10v2004-20240508-en
General
-
Target
a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe
-
Size
1.8MB
-
MD5
2a43e4347cf7c8b00c747ca8cbc6ff38
-
SHA1
043b825e7d696a96a550f04d9f8746c4dca66317
-
SHA256
a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb
-
SHA512
8d56ce19222e31244619daa289521a8a423df0c864bfaaf41a713971006f14ef0972efb555529cab090abb5a9440b2c8422bc3e02eac29ce04427795d7fb51f6
-
SSDEEP
49152:zNr4YQY8NG8rd8Yl4IrjzqVnTV374VKfmJuOZynyegn:zN8swbl3rj4TV374VOJOZyA
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorti.exeBGHIIJDGHC.exeexplorti.exea1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exeexplorti.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BGHIIJDGHC.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
BGHIIJDGHC.exeexplorti.exea1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exeexplorti.exeexplorti.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BGHIIJDGHC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BGHIIJDGHC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exefd748b0f61.exeexplorti.exeBGHIIJDGHC.exe88b61b5cf0.exeexplorti.exepid Process 3972 explorti.exe 1188 fd748b0f61.exe 1852 explorti.exe 1960 BGHIIJDGHC.exe 1664 88b61b5cf0.exe 724 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
BGHIIJDGHC.exeexplorti.exea1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exeexplorti.exeexplorti.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine BGHIIJDGHC.exe Key opened \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe Key opened \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
fd748b0f61.exepid Process 1188 fd748b0f61.exe 1188 fd748b0f61.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/files/0x0002000000025c80-134.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exeexplorti.exefd748b0f61.exeexplorti.exeBGHIIJDGHC.exeexplorti.exepid Process 4964 a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe 3972 explorti.exe 1188 fd748b0f61.exe 1188 fd748b0f61.exe 1188 fd748b0f61.exe 1852 explorti.exe 1188 fd748b0f61.exe 1188 fd748b0f61.exe 1960 BGHIIJDGHC.exe 724 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exedescription ioc Process File created C:\Windows\Tasks\explorti.job a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fd748b0f61.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fd748b0f61.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fd748b0f61.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645531523102557" chrome.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exeexplorti.exefd748b0f61.exeexplorti.exeBGHIIJDGHC.exechrome.exeexplorti.exepid Process 4964 a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe 4964 a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe 3972 explorti.exe 3972 explorti.exe 1188 fd748b0f61.exe 1188 fd748b0f61.exe 1852 explorti.exe 1852 explorti.exe 1188 fd748b0f61.exe 1188 fd748b0f61.exe 1960 BGHIIJDGHC.exe 1960 BGHIIJDGHC.exe 4928 chrome.exe 4928 chrome.exe 724 explorti.exe 724 explorti.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
Processes:
88b61b5cf0.exechrome.exepid Process 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 1664 88b61b5cf0.exe 4928 chrome.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
88b61b5cf0.exechrome.exepid Process 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe 1664 88b61b5cf0.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
fd748b0f61.execmd.exepid Process 1188 fd748b0f61.exe 4084 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exeexplorti.exefd748b0f61.execmd.exe88b61b5cf0.exechrome.exedescription pid Process procid_target PID 4964 wrote to memory of 3972 4964 a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe 79 PID 4964 wrote to memory of 3972 4964 a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe 79 PID 4964 wrote to memory of 3972 4964 a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe 79 PID 3972 wrote to memory of 1188 3972 explorti.exe 80 PID 3972 wrote to memory of 1188 3972 explorti.exe 80 PID 3972 wrote to memory of 1188 3972 explorti.exe 80 PID 1188 wrote to memory of 2244 1188 fd748b0f61.exe 82 PID 1188 wrote to memory of 2244 1188 fd748b0f61.exe 82 PID 1188 wrote to memory of 2244 1188 fd748b0f61.exe 82 PID 1188 wrote to memory of 4084 1188 fd748b0f61.exe 84 PID 1188 wrote to memory of 4084 1188 fd748b0f61.exe 84 PID 1188 wrote to memory of 4084 1188 fd748b0f61.exe 84 PID 2244 wrote to memory of 1960 2244 cmd.exe 86 PID 2244 wrote to memory of 1960 2244 cmd.exe 86 PID 2244 wrote to memory of 1960 2244 cmd.exe 86 PID 3972 wrote to memory of 1664 3972 explorti.exe 87 PID 3972 wrote to memory of 1664 3972 explorti.exe 87 PID 3972 wrote to memory of 1664 3972 explorti.exe 87 PID 1664 wrote to memory of 4928 1664 88b61b5cf0.exe 88 PID 1664 wrote to memory of 4928 1664 88b61b5cf0.exe 88 PID 4928 wrote to memory of 680 4928 chrome.exe 91 PID 4928 wrote to memory of 680 4928 chrome.exe 91 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 956 4928 chrome.exe 92 PID 4928 wrote to memory of 4004 4928 chrome.exe 93 PID 4928 wrote to memory of 4004 4928 chrome.exe 93 PID 4928 wrote to memory of 2592 4928 chrome.exe 94 PID 4928 wrote to memory of 2592 4928 chrome.exe 94 PID 4928 wrote to memory of 2592 4928 chrome.exe 94 PID 4928 wrote to memory of 2592 4928 chrome.exe 94 PID 4928 wrote to memory of 2592 4928 chrome.exe 94 PID 4928 wrote to memory of 2592 4928 chrome.exe 94 PID 4928 wrote to memory of 2592 4928 chrome.exe 94 PID 4928 wrote to memory of 2592 4928 chrome.exe 94 PID 4928 wrote to memory of 2592 4928 chrome.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe"C:\Users\Admin\AppData\Local\Temp\a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\1000006001\fd748b0f61.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\fd748b0f61.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BGHIIJDGHC.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\BGHIIJDGHC.exe"C:\Users\Admin\AppData\Local\Temp\BGHIIJDGHC.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDHJEBGIEB.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:4084
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000007001\88b61b5cf0.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\88b61b5cf0.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb842dab58,0x7ffb842dab68,0x7ffb842dab785⤵PID:680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1500 --field-trial-handle=1784,i,3497237135254963230,13866003525565884878,131072 /prefetch:25⤵PID:956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1784,i,3497237135254963230,13866003525565884878,131072 /prefetch:85⤵PID:4004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2180 --field-trial-handle=1784,i,3497237135254963230,13866003525565884878,131072 /prefetch:85⤵PID:2592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1784,i,3497237135254963230,13866003525565884878,131072 /prefetch:15⤵PID:844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1784,i,3497237135254963230,13866003525565884878,131072 /prefetch:15⤵PID:1888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4088 --field-trial-handle=1784,i,3497237135254963230,13866003525565884878,131072 /prefetch:15⤵PID:3212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 --field-trial-handle=1784,i,3497237135254963230,13866003525565884878,131072 /prefetch:85⤵PID:2500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1784,i,3497237135254963230,13866003525565884878,131072 /prefetch:85⤵PID:8
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1784,i,3497237135254963230,13866003525565884878,131072 /prefetch:85⤵PID:4608
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1852
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD5c682ed93a682da5212cd34fc26591fef
SHA1243e898d256f6eb059381c9ad835eaf777143299
SHA256d321381f69314193db1631e79b1c905916871bae6a15b26bfd3e9cbeb0da3d50
SHA5125c5a1236ba8c8dd93d8f83d4de0cd0b771470af5726be5308b93d6b266ff697bb9153e00e928fc514b6aa5a86ff12f611c19f7ef8ba2c61e4311d439726cab56
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD5ce88e62d3d2178932c91b7b2393ac898
SHA116f8521c914c77277ed7a6a6799180783df35b48
SHA2569031d8a93d676e00493a4f49161df6cd97106fe3f267e48a3d55fbf1e5ee1e82
SHA5127ab3de3068bba5e00772b7097c063b49af71bf263470820a2488d62ad7bef147cf2ba1d41e7a2bc9c2b68ecc5193fd80b6ac36664c4f96e742a18674071f5588
-
Filesize
7KB
MD5a2e7623b2f50c5f000ab7dbe11f59422
SHA1f2d9dbbbae0263fa2d8ce2f57646f6cb03ac4019
SHA256ef7536cb3da88e174d4f31fdef723cf6f125350516fdbc39818aa8581893b5c2
SHA512f7e80ec648d6167fd7ccab5f48c58e45091c75c45ab7fb4c5558ff6e2dcecd61b710308ce1e55293fa90627399902d663ffaef227d15c4ce68ecbeecccf533a5
-
Filesize
16KB
MD5c1252102a41c02bc19b048090ebfbf93
SHA1251cb1537a1598432f6f4dfd54d881109adba3cf
SHA256bd83baf30cc3770b22f6e43f5144d7ec286a5662f8f251a161431f7bbb6af0c3
SHA512933ccc775790a3221fbdf6d4bdebd12518044cb75ba918bb1fc7e0888f46fc3c4d3664394b4d4925ee8a9d61b564e6f051c315bfdef4de355f883ee94b8e25c3
-
Filesize
270KB
MD50114c299721d0a411a57e22f7d0e6635
SHA14e63d3f5d1a9e4fb55e4c77b5212ba8caba3c711
SHA256f37b69191ee62d5d9c4ff32588cb3aa0061c34f468f92f55af3a34c2e6160f75
SHA512984b43754b1a0539671a1c3037b2d2abb4281cd3c5967729ef2325a0187736ccc059a4d01b6967de65244a0abbb7d5da7c2eb6a44e96423b3d043f1ade5fc0de
-
Filesize
2.4MB
MD5747f49b526a931e987825204c1473a27
SHA1d3c3b40dc5d8f3bfc71c7cd2be06e346ab694fdd
SHA2565e3cae26ee0d86cf2c2660baf9d0fc27227173cc8440a94abe5c85a698e0293f
SHA5122b62045a2e6c67916847f793562de04e51a4a9221304df322abd643e98cf0e45bfb4de090d701578cfe039e3a1d98bf2a957a54b74148b56ff0643fd31c1dab8
-
Filesize
1.1MB
MD54c021767daf09eb776b5982dd340f0fd
SHA195a7adece1b30cce6e13c3bdd1d2c91adc269197
SHA2564674c7a836c5df26edce39648aa7e3f24a0a5c0995682e6532f5c616ab2b79a7
SHA512349e6ceac59d062b59510eebe68894d60ede4d2eec300c52bf499479a853a1f2f125c12369a18811e6fc3d4c6ad3781557df427e4560042f6378da4b15f489e5
-
Filesize
1.8MB
MD52a43e4347cf7c8b00c747ca8cbc6ff38
SHA1043b825e7d696a96a550f04d9f8746c4dca66317
SHA256a1e7c9ba5d2f4816455502b943dacc9738002aa36a902f8df0c3cb4c057f2fbb
SHA5128d56ce19222e31244619daa289521a8a423df0c864bfaaf41a713971006f14ef0972efb555529cab090abb5a9440b2c8422bc3e02eac29ce04427795d7fb51f6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e