Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe
Resource
win10v2004-20240508-en
General
-
Target
6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe
-
Size
1.9MB
-
MD5
9ab3056049db46aab996ce1e3a95d55a
-
SHA1
c476519817b7b25c454dd7810468a86bfea05290
-
SHA256
6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076
-
SHA512
eff5406e9a637936efa80fdc0672e33eae0555661fa15cf98a7bef304ba8fecb6b7bade7620e303d950e3c97677b89b107a4a2105f2504f151cda9c2475f3872
-
SSDEEP
49152:yvrs1gYWHC5ktspVzqGMAs+6tY6CTlCmdCc5S7:yTaZZVuGMAtAmS7
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorti.exeAAAAECGHCB.exeexplorti.exeexplorti.exe6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AAAAECGHCB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exe6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exeexplorti.exeAAAAECGHCB.exeexplorti.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AAAAECGHCB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AAAAECGHCB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e20fdb05e9.exe03e4916ca9.execmd.exe6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exeexplorti.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation e20fdb05e9.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 03e4916ca9.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe03e4916ca9.exee20fdb05e9.exeAAAAECGHCB.exeexplorti.exeexplorti.exepid Process 4176 explorti.exe 5012 03e4916ca9.exe 3664 e20fdb05e9.exe 2104 AAAAECGHCB.exe 2064 explorti.exe 2156 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exeexplorti.exeAAAAECGHCB.exeexplorti.exeexplorti.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine AAAAECGHCB.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
03e4916ca9.exepid Process 5012 03e4916ca9.exe 5012 03e4916ca9.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x000700000002342a-42.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exeexplorti.exe03e4916ca9.exeAAAAECGHCB.exeexplorti.exeexplorti.exepid Process 3592 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe 4176 explorti.exe 5012 03e4916ca9.exe 5012 03e4916ca9.exe 5012 03e4916ca9.exe 2104 AAAAECGHCB.exe 2064 explorti.exe 2156 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exedescription ioc Process File created C:\Windows\Tasks\explorti.job 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
03e4916ca9.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 03e4916ca9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 03e4916ca9.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645573407735089" chrome.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exeexplorti.exe03e4916ca9.exechrome.exeAAAAECGHCB.exeexplorti.exeexplorti.exechrome.exepid Process 3592 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe 3592 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe 4176 explorti.exe 4176 explorti.exe 5012 03e4916ca9.exe 5012 03e4916ca9.exe 3752 chrome.exe 3752 chrome.exe 5012 03e4916ca9.exe 5012 03e4916ca9.exe 2104 AAAAECGHCB.exe 2104 AAAAECGHCB.exe 2064 explorti.exe 2064 explorti.exe 2156 explorti.exe 2156 explorti.exe 3960 chrome.exe 3960 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe Token: SeShutdownPrivilege 3752 chrome.exe Token: SeCreatePagefilePrivilege 3752 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
Processes:
e20fdb05e9.exechrome.exepid Process 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3752 chrome.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe -
Suspicious use of SendNotifyMessage 60 IoCs
Processes:
e20fdb05e9.exechrome.exepid Process 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3752 chrome.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe 3664 e20fdb05e9.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
03e4916ca9.execmd.exepid Process 5012 03e4916ca9.exe 532 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exeexplorti.exee20fdb05e9.exechrome.exedescription pid Process procid_target PID 3592 wrote to memory of 4176 3592 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe 81 PID 3592 wrote to memory of 4176 3592 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe 81 PID 3592 wrote to memory of 4176 3592 6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe 81 PID 4176 wrote to memory of 5012 4176 explorti.exe 82 PID 4176 wrote to memory of 5012 4176 explorti.exe 82 PID 4176 wrote to memory of 5012 4176 explorti.exe 82 PID 4176 wrote to memory of 3664 4176 explorti.exe 83 PID 4176 wrote to memory of 3664 4176 explorti.exe 83 PID 4176 wrote to memory of 3664 4176 explorti.exe 83 PID 3664 wrote to memory of 3752 3664 e20fdb05e9.exe 84 PID 3664 wrote to memory of 3752 3664 e20fdb05e9.exe 84 PID 3752 wrote to memory of 816 3752 chrome.exe 86 PID 3752 wrote to memory of 816 3752 chrome.exe 86 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 1784 3752 chrome.exe 87 PID 3752 wrote to memory of 2288 3752 chrome.exe 88 PID 3752 wrote to memory of 2288 3752 chrome.exe 88 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89 PID 3752 wrote to memory of 720 3752 chrome.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe"C:\Users\Admin\AppData\Local\Temp\6c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\1000006001\03e4916ca9.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\03e4916ca9.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AAAAECGHCB.exe"4⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\AAAAECGHCB.exe"C:\Users\Admin\AppData\Local\Temp\AAAAECGHCB.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2104
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BAEBGCFIEH.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:532
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000007001\e20fdb05e9.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\e20fdb05e9.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb58c9ab58,0x7ffb58c9ab68,0x7ffb58c9ab785⤵PID:816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1948,i,15775517850281229088,18021237188766542040,131072 /prefetch:25⤵PID:1784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1948,i,15775517850281229088,18021237188766542040,131072 /prefetch:85⤵PID:2288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1948,i,15775517850281229088,18021237188766542040,131072 /prefetch:85⤵PID:720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1948,i,15775517850281229088,18021237188766542040,131072 /prefetch:15⤵PID:4404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1948,i,15775517850281229088,18021237188766542040,131072 /prefetch:15⤵PID:1616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1948,i,15775517850281229088,18021237188766542040,131072 /prefetch:15⤵PID:4732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1948,i,15775517850281229088,18021237188766542040,131072 /prefetch:85⤵PID:760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4736 --field-trial-handle=1948,i,15775517850281229088,18021237188766542040,131072 /prefetch:85⤵PID:2972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 --field-trial-handle=1948,i,15775517850281229088,18021237188766542040,131072 /prefetch:85⤵PID:2928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1904 --field-trial-handle=1948,i,15775517850281229088,18021237188766542040,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2064
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD56293e054803c91292511a123c940c326
SHA186300d46413d76c97105e2cd6ece17d34dc77962
SHA2567fa5d3223a21ca9d85133c2f525b24702936452870804379ce863ee309f8e687
SHA512724f129e961a398e76129e4619433fb71795c1d2d52cd48ccb0e6fe877885d5a63aac7dcde5b12b34433f4158a58fd65f5b65268e4008178bb8803fff511b494
-
Filesize
2KB
MD58220aedaeaaf2f0a5538855f0ec0ea44
SHA14a2a889261cfc62b19be3c2f87a344d35f40471b
SHA2565847df528c94306c17f7a89f018c8cc41fe0a37858291caa6be008d63373376a
SHA512e8ce9caa6b538d77f1755a48cf77ec5a3a3a62ee7d0bc7994665f30fbf859bbe1cb0c0ec774971746ea6799219e1da99f8c1a5532ec41b25c9f485a25598b366
-
Filesize
2KB
MD5dea0f96a1e99afa117ea7e08f06865e1
SHA190dadd060850efbcbcf87ef57c4bf87dbf34b39b
SHA25672f645f43cbbe88820e3309ef3e10ec1d17f0ed70042446bd112e703bc4fed4c
SHA512aea4fec6525f2408c47f0cfe385ab6d9e7825327179dde2fc917fa2f2a3c258f26f995ed9bef104b91c533d63f959f2df1f0090c0745c554cbdf583717f9c9f6
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD5f476a3bda2a9cac2fe5c72cccafd20c6
SHA18f80c1d99a901c5e13e59b288b2531bfb80c9b39
SHA2560dc65252e72c7be21d31938c2e9ac3b3f056d1a605680b5572bb4ef8f9f38dcf
SHA5124541d2987b0fc9412ab88dfef9a8ac946e256b676383c1ffcab9f5bf1fb7e613d525ce8d8593adab8af1a3f0c8f141c03da25cace84dab89e55a69ae235ddab5
-
Filesize
7KB
MD5415e4dc4c0d9343b3d254978f5e8ba60
SHA1155c828c525bb343c064706d7dea66dbd269d17c
SHA2565bf0be742f88ec757bdd9687d670eea68bd235de52a31c7d48eba8a51b6a9a76
SHA512a308a45a0b254a51ffcd5bb0b69f6bc62b52f1f29a2f650c70105cff7f7cb487291b8f82bfe2cccaf49a5c72b7ef278155de4901bae97c7642398c547c1cb906
-
Filesize
16KB
MD5c17827133d2db852ad5ab773cf579978
SHA19bd91d9707c9524cc449c328630fb546364e351c
SHA256d791fe6ef32411f7c8db891e3679bbbb352589942b59eb23e715557fb2c92e37
SHA5120da0eab44af7d8529fcd2d13a4835739f02c4ebb082237df507190dd6f2b6dfecb805b6c45099b5756e6ff9908cedc4ef5eb921e65480a2ec736ae2740a1e439
-
Filesize
270KB
MD548da4d604bdb4a7026e5bcde63d07179
SHA120e45c9a7ae7c9f1ceaaefd27f95e4cf55537912
SHA256e42e4b6b7ee442ba31fcefbe8a43ce7df8e4033afe304d756e9daa442ce6667c
SHA512c1c3f6f662c305c8eea49037cf35f63c33d6cb6d7380c2afa30d935cea90dc45350739c1b509eed7f4c56568279402a6ef4612f954379ab84bc715caf0956190
-
Filesize
2.4MB
MD5747f49b526a931e987825204c1473a27
SHA1d3c3b40dc5d8f3bfc71c7cd2be06e346ab694fdd
SHA2565e3cae26ee0d86cf2c2660baf9d0fc27227173cc8440a94abe5c85a698e0293f
SHA5122b62045a2e6c67916847f793562de04e51a4a9221304df322abd643e98cf0e45bfb4de090d701578cfe039e3a1d98bf2a957a54b74148b56ff0643fd31c1dab8
-
Filesize
1.1MB
MD5d3ea96ebf8b022f0483e7b7fe54d41c2
SHA188ba17bc5aa324a86df6c491f70758993b016f4d
SHA256cfcb861232c5a279c00fb72ea2ab408e20e9e159af5e514799aa478d71600ccd
SHA512bb7abcff7f339925e5321063eb5a37e02699514401b2e194165d712efedf0db591eb3bd2c2fcb5ce08d3abe6da1e4c794a97c8bcee6d9218c23c3c6b8d1f309e
-
Filesize
1.9MB
MD59ab3056049db46aab996ce1e3a95d55a
SHA1c476519817b7b25c454dd7810468a86bfea05290
SHA2566c10908b3abfe8ae36bc24267a64a546bf9bc117b16344234857e8cc031a4076
SHA512eff5406e9a637936efa80fdc0672e33eae0555661fa15cf98a7bef304ba8fecb6b7bade7620e303d950e3c97677b89b107a4a2105f2504f151cda9c2475f3872
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e