Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-07-2024 11:56
Static task
static1
Behavioral task
behavioral1
Sample
e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe
Resource
win10v2004-20240508-en
General
-
Target
e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe
-
Size
1.8MB
-
MD5
df8d48dbc3ecd416a49a603261625d97
-
SHA1
f501a9b3780789be9127a27f2bc9a804068741ac
-
SHA256
e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b
-
SHA512
96ee3aca4eec7ac177b365f57bbda0cfd1e54bba70c02eade6aedb042e16857ba977f52107260708a79f744dc58e54269489d48fa0c161b8e9f37b63b29d6675
-
SSDEEP
49152:SliR2se6Ukj852AadWDt1rDakvnh/8YldcZexux:SlijeW8Ax6TukJ/7eyu
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
explorti.exeexplorti.exee3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exeexplorti.exeexplorti.exeGHDAAKJEGC.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GHDAAKJEGC.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exeexplorti.exeexplorti.exeexplorti.exeGHDAAKJEGC.exeexplorti.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GHDAAKJEGC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GHDAAKJEGC.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exeexplorti.exe464038d61b.exedf52d76133.exeGHDAAKJEGC.exeexplorti.exeexplorti.exepid Process 4728 explorti.exe 3052 explorti.exe 4812 464038d61b.exe 1428 df52d76133.exe 1480 GHDAAKJEGC.exe 4952 explorti.exe 3824 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeGHDAAKJEGC.exeexplorti.exeexplorti.exee3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exeexplorti.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine GHDAAKJEGC.exe Key opened \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe Key opened \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
464038d61b.exepid Process 4812 464038d61b.exe 4812 464038d61b.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/files/0x000100000002aa4f-48.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exeexplorti.exeexplorti.exe464038d61b.exeGHDAAKJEGC.exeexplorti.exeexplorti.exepid Process 3368 e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe 4728 explorti.exe 3052 explorti.exe 4812 464038d61b.exe 4812 464038d61b.exe 1480 GHDAAKJEGC.exe 4952 explorti.exe 3824 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exedescription ioc Process File created C:\Windows\Tasks\explorti.job e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
464038d61b.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 464038d61b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 464038d61b.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645678301211553" chrome.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exeexplorti.exeexplorti.exe464038d61b.exechrome.exeGHDAAKJEGC.exeexplorti.exeexplorti.exechrome.exepid Process 3368 e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe 3368 e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe 4728 explorti.exe 4728 explorti.exe 3052 explorti.exe 3052 explorti.exe 4812 464038d61b.exe 4812 464038d61b.exe 2772 chrome.exe 2772 chrome.exe 4812 464038d61b.exe 4812 464038d61b.exe 1480 GHDAAKJEGC.exe 1480 GHDAAKJEGC.exe 4952 explorti.exe 4952 explorti.exe 3824 explorti.exe 3824 explorti.exe 3672 chrome.exe 3672 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid Process 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
Processes:
df52d76133.exechrome.exepid Process 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 1428 df52d76133.exe 1428 df52d76133.exe 2772 chrome.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
df52d76133.exechrome.exepid Process 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe 1428 df52d76133.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
464038d61b.execmd.exepid Process 4812 464038d61b.exe 1004 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exeexplorti.exedf52d76133.exechrome.exedescription pid Process procid_target PID 3368 wrote to memory of 4728 3368 e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe 82 PID 3368 wrote to memory of 4728 3368 e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe 82 PID 3368 wrote to memory of 4728 3368 e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe 82 PID 4728 wrote to memory of 4812 4728 explorti.exe 84 PID 4728 wrote to memory of 4812 4728 explorti.exe 84 PID 4728 wrote to memory of 4812 4728 explorti.exe 84 PID 4728 wrote to memory of 1428 4728 explorti.exe 85 PID 4728 wrote to memory of 1428 4728 explorti.exe 85 PID 4728 wrote to memory of 1428 4728 explorti.exe 85 PID 1428 wrote to memory of 2772 1428 df52d76133.exe 86 PID 1428 wrote to memory of 2772 1428 df52d76133.exe 86 PID 2772 wrote to memory of 2760 2772 chrome.exe 89 PID 2772 wrote to memory of 2760 2772 chrome.exe 89 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1524 2772 chrome.exe 90 PID 2772 wrote to memory of 1560 2772 chrome.exe 91 PID 2772 wrote to memory of 1560 2772 chrome.exe 91 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92 PID 2772 wrote to memory of 3676 2772 chrome.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe"C:\Users\Admin\AppData\Local\Temp\e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\1000006001\464038d61b.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\464038d61b.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4812 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHDAAKJEGC.exe"4⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\GHDAAKJEGC.exe"C:\Users\Admin\AppData\Local\Temp\GHDAAKJEGC.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBFHJEGDAF.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1004
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000007001\df52d76133.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\df52d76133.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8f4aab58,0x7fff8f4aab68,0x7fff8f4aab785⤵PID:2760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1804,i,1929225327699887806,5765388736339446256,131072 /prefetch:25⤵PID:1524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1804,i,1929225327699887806,5765388736339446256,131072 /prefetch:85⤵PID:1560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2144 --field-trial-handle=1804,i,1929225327699887806,5765388736339446256,131072 /prefetch:85⤵PID:3676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1804,i,1929225327699887806,5765388736339446256,131072 /prefetch:15⤵PID:1764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1804,i,1929225327699887806,5765388736339446256,131072 /prefetch:15⤵PID:1480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4192 --field-trial-handle=1804,i,1929225327699887806,5765388736339446256,131072 /prefetch:15⤵PID:412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3088 --field-trial-handle=1804,i,1929225327699887806,5765388736339446256,131072 /prefetch:85⤵PID:1032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1804,i,1929225327699887806,5765388736339446256,131072 /prefetch:85⤵PID:4764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1804,i,1929225327699887806,5765388736339446256,131072 /prefetch:85⤵PID:1388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1804,i,1929225327699887806,5765388736339446256,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3672
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3052
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4952
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD5895d282300e82cc290871d7b7c701729
SHA1399461708671449d68e731af4db5f643ded8937a
SHA256a5ef9bd5777aeb047d262cb7baa79364a8bcae8cbec473ddd4b91e77c72b7f3b
SHA512b86dfe7ed5ce784ea93fcf5710dd64f6c07438b5f7beb37ca0b3d0a2bf7b4be567972c14671accda621fbcc603d51aa580ede38c68bd9933a595c92524964d2e
-
Filesize
2KB
MD5997266a6f9e19812f07c93e7fda4b354
SHA1a781e072656022c1624d03834ef85afb63102021
SHA25681c9b1313f10b0508ff5a3d69e289114a031752aba08ac2d00e74ff8db15b689
SHA512c943e6de8fae81d5045738a2dfc100fb3a3c4543e90fa38f605d882c70418e018f37ac2d055fc2edef87e0e1b52c2fa08ba725ffcaafb1893344a303e584b04b
-
Filesize
2KB
MD57f62db8f53ec7d583d0f95633fcb2a92
SHA174f64be3074ed2ee91ee2a6e4f223791282f73f3
SHA256ebc5f0d5f5119f71668f1a2b303d6a08d2f3f7b02a353e2bcb4f7ff49bedb9d5
SHA51264dbe35538c7dbb283b84e3e0df09f61427a938f34215b93b7b8f5489193c6fd369e1781aacecb992f4ccd067e928a5fe6e84fe52940d7ebb3662ab05794849b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD514fc9cc4045a493ae2048fbdd2caf899
SHA1bf47156f23bf33450c2f2f408bb30311010c0b58
SHA2566898147ba34c966b432374c9507095780a5466e8581bf3e1cc900a9bab5f812c
SHA5129eb1a0d0cf1d8cfae793921ed31d06fc6709325d7d2d7acd66f25d49a085ad359814d8db25c9a3f5d62ec4ba8f28d3c4e10af345d86fbb5ea520fa14df64c065
-
Filesize
7KB
MD5c9bad8b105775042e2ca8fafe5a6fa04
SHA1af389e5b1a010a9fb3606c6b17de3a5148720ea8
SHA256019a5e0097418131c299dfd19b45d691a231b9595c8932907f87f8c46cf4bfeb
SHA512e5501849087c7d7646d70be4ed500de38eb7ddd4b7aaf66f3869251e229f95c0c133e8ab6f0d58d4f4c54ba8e56e6569672e515129b467acbdcc3148edb15d49
-
Filesize
16KB
MD55e8b353d480ae7b1e1bfad09a75f8698
SHA140c68ab71de1e901f16fe4dabe46f8f589d3d397
SHA256c4b31572ead2f517ae7102aa0911170246cb8d9a183b1cd2dc819e2461e14fb9
SHA5128719547679038832485ddbfeceaa5c18f52a2e6a087ac05327dd7fd0d4975c3177ff6859a1c665221567192c99a2fe360f8f81158d63a8586b68a030c45a1f0e
-
Filesize
279KB
MD5d712a45199b0a0356883f4a30987dd6c
SHA14aacef0a6f3f1e7b705486d8100bc8e987e9a1cb
SHA256998fcb606b9686afa6297866ffc631efa1ee4d7aa428f10ecaa24add4eed2d1b
SHA5128c15176a625cb884464deca87730d4706560138065bbd5af5cf1ce90a2ca5671b079718f465091ec8de40d9154438d22830bab0e91ab9cbd836d6ae9aa16f57a
-
Filesize
2.4MB
MD5fdaa4171e6b15af5628a055bc7a7bca1
SHA10f69f54846e26167777e3d56939adc72ddcb545c
SHA256230280a480e2b4301c9beed0e5519c1f72f8c5a2d4193b5f69d7a02f6884bb16
SHA5122ef1076ab306bbd90cc1011c60ae8aab8f626942e3ea2a53e755b60ce1f3865d88302d02395271ee184f3f787baa8b7febd3e9473351932c504f5c6f39185d7f
-
Filesize
1.1MB
MD5d1ac7a5f8a84a22e85ab5d7a7618fe6e
SHA11db0a4476570a28073ada7205bfa06dd58c2e256
SHA2560ac30e71e5fcb7d2b3b5f5b50a4c42946cf837c90832109ad25ea2460ca5b995
SHA512e888685a7f379286d366ee13a08fa48395f8fc35db3ac2091f952e280ce28957567c4a36169b29267cd7d828386a6609118ed1a930955474d58da87d40c5f4a4
-
Filesize
1.8MB
MD5df8d48dbc3ecd416a49a603261625d97
SHA1f501a9b3780789be9127a27f2bc9a804068741ac
SHA256e3043a8db9a860a96cf88db937ae559f95db4da4cdb9e641ce0f60a256573d3b
SHA51296ee3aca4eec7ac177b365f57bbda0cfd1e54bba70c02eade6aedb042e16857ba977f52107260708a79f744dc58e54269489d48fa0c161b8e9f37b63b29d6675
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e