Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
24/06/2024, 21:26
Static task
static1
Behavioral task
behavioral1
Sample
8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe
Resource
win10v2004-20240508-en
General
-
Target
8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe
-
Size
1.8MB
-
MD5
12ab9284b7bc5f1a10fdab18ec3387c6
-
SHA1
e3dcf2c85f3ab888fcc0e0555fc0438e85411d86
-
SHA256
8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448
-
SHA512
c997de1c1e4926fbef32a40d007696df714e56f987cb57a4fbf20b8f1a749bc83e37927174f778672c82b363980c5512a546990fb3c0172305c15a9c461272ac
-
SSDEEP
24576:6bR9HbDng67w6kUrAW3ShXteA9O6dAnbdMEobTVfy7RFgCmhN4nYdjzfFLCE8X/X:6bPHbDgUo1UyfA8BfogzxdjzUX/cbO
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 16dd6bdcae.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ec378305e1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 16dd6bdcae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ec378305e1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 16dd6bdcae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ec378305e1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe -
Executes dropped EXE 5 IoCs
pid Process 4044 explortu.exe 2368 16dd6bdcae.exe 3720 ec378305e1.exe 1744 explortu.exe 3716 explortu.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine 16dd6bdcae.exe Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine ec378305e1.exe Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe Key opened \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Wine explortu.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\16dd6bdcae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\16dd6bdcae.exe" explortu.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3720-129-0x0000000000090000-0x00000000005F2000-memory.dmp autoit_exe behavioral2/memory/3720-161-0x0000000000090000-0x00000000005F2000-memory.dmp autoit_exe behavioral2/memory/3720-168-0x0000000000090000-0x00000000005F2000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2396 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe 4044 explortu.exe 2368 16dd6bdcae.exe 3720 ec378305e1.exe 1744 explortu.exe 3716 explortu.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explortu.job 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637380205814416" chrome.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2396 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe 2396 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe 4044 explortu.exe 4044 explortu.exe 2368 16dd6bdcae.exe 2368 16dd6bdcae.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3164 chrome.exe 3164 chrome.exe 1744 explortu.exe 1744 explortu.exe 3164 chrome.exe 3164 chrome.exe 3716 explortu.exe 3716 explortu.exe 1996 chrome.exe 1996 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe Token: SeShutdownPrivilege 3164 chrome.exe Token: SeCreatePagefilePrivilege 3164 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 3720 ec378305e1.exe 3720 ec378305e1.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3720 ec378305e1.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3720 ec378305e1.exe 3164 chrome.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 3720 ec378305e1.exe 3720 ec378305e1.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3720 ec378305e1.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3164 chrome.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe 3720 ec378305e1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 4044 2396 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe 77 PID 2396 wrote to memory of 4044 2396 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe 77 PID 2396 wrote to memory of 4044 2396 8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe 77 PID 4044 wrote to memory of 3032 4044 explortu.exe 78 PID 4044 wrote to memory of 3032 4044 explortu.exe 78 PID 4044 wrote to memory of 3032 4044 explortu.exe 78 PID 4044 wrote to memory of 2368 4044 explortu.exe 79 PID 4044 wrote to memory of 2368 4044 explortu.exe 79 PID 4044 wrote to memory of 2368 4044 explortu.exe 79 PID 4044 wrote to memory of 3720 4044 explortu.exe 80 PID 4044 wrote to memory of 3720 4044 explortu.exe 80 PID 4044 wrote to memory of 3720 4044 explortu.exe 80 PID 3720 wrote to memory of 3164 3720 ec378305e1.exe 81 PID 3720 wrote to memory of 3164 3720 ec378305e1.exe 81 PID 3164 wrote to memory of 3216 3164 chrome.exe 84 PID 3164 wrote to memory of 3216 3164 chrome.exe 84 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 2132 3164 chrome.exe 85 PID 3164 wrote to memory of 1392 3164 chrome.exe 86 PID 3164 wrote to memory of 1392 3164 chrome.exe 86 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87 PID 3164 wrote to memory of 2224 3164 chrome.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe"C:\Users\Admin\AppData\Local\Temp\8dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\16dd6bdcae.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\16dd6bdcae.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\ec378305e1.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\ec378305e1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb5e9aab58,0x7ffb5e9aab68,0x7ffb5e9aab785⤵PID:3216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:25⤵PID:2132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:85⤵PID:1392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:85⤵PID:2224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:15⤵PID:2552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:15⤵PID:756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:15⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:85⤵PID:856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:85⤵PID:2160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:85⤵PID:4652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:85⤵PID:400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:85⤵PID:2284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:85⤵PID:3700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1836,i,12225687825306413557,12159459947131954645,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1744
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD586a3b223c747e7ea9a66f241f6a2063d
SHA12d51888eee390acb31082f77a0eec575693f8939
SHA256f938f7f71b1bead27c92c0dbb443c8b3eb96b2ed0727c0ded73c4ef648740ad2
SHA5127431eda2df23787a3607929912049697198ff00b5d0c86388982572bad8db8e9ca31ba6f1e305b400633d0d134dbfb09a86b0f4034f16b40a657687dfff5ed17
-
Filesize
2KB
MD576847709428fd4a4c5e8f882c11a61fa
SHA111f1995878a77df5a91718002227517ae4544378
SHA256679d40eb90f538ce62943f738d19f58805705a0ce9859aaa8b3d736663a4c2f5
SHA512b83512fb590bc75e38292628c6b02f482d8de4d124078becbf9d9c7bbf7737333c19491620b0cb9f134e2820d4199d2f393fa282c91e56bbb9c22bc50b9484f6
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD505fe92cf658c06d227edb836e44dc161
SHA1718d7e3541e9d512c648c692ab0938fa64ab5d24
SHA256a3b9b2eb77f50de0fc8c1fee26fe5e673050cb1024d3957c547cb47efd6b3c63
SHA5120d605d84b6008184eb792d13e7126c17398619c311a1fc3f5e8a42f0cdc5c8fd20f1640fb3379e08f9bfdd9fb7aa07fb7686671814810f43afc6f796b329f856
-
Filesize
7KB
MD5eed15ff9c12341575ade95dedf3d717d
SHA17a61a3e1d4f920a2f5584f4979018e653e8ac102
SHA2562d2ba6ee8629245631ee44f49b231f62689fdae5bc7034deb3188735eb7b6261
SHA5124415309dfc3f78212242a43bd42f3694096373a9dbcf9b87a71f216b9258bb11e38505c7503932a6f162dc1d871b8a921bdb385da78c4d8754b837f1c60331cc
-
Filesize
16KB
MD5fb8402fbe590b98baea60ea2b50a4bc9
SHA12c1b6d5b241ba3446bae6504428e266e1b189346
SHA2569f3c233b0a335bb730bd91af3d3a2edcc04767beb8c15eb080714cc388dddf7b
SHA512ec7b6b201daad34772a84219e8669d372268d1f9613de46526068f70a597228f85b24b496bd3e6a069b11a1c0c205a241af37643e2beee7dce2a7126dab64302
-
Filesize
140KB
MD5c636f347633f37694dd08d137ca8a180
SHA1bc74bc907770fceffef30f5ff016b7a8d029c55f
SHA25612c66a1f9b352301cc3500b7b0946ada05dda5eeeef3ef82631629a3147f872a
SHA512a80e9d7946741f060b19994022e158ea94a0d9e5b975243a52cc08a06671a7156735cff004aa9cf9f590f595c365a3055e59ed00838c3519b923bdd8cf020dba
-
Filesize
301KB
MD577efb9892ea36ab7abfa8ddbf64f56cd
SHA1b0cc1a99a2d02faa9de941b8b283845e9d6d9f51
SHA256e1b3856068bb9caded672f1049cdd6fa38f50fbdc87218278c3fdabd2a55ad74
SHA5125751b211ec90d11a129f00a20f9612060c60fae690b645be173c5ec537a99938166dc7759fd27d551baaed8ece2e2aa59958b8c335bc61d5c0e9a47f3caa4758
-
Filesize
282KB
MD5f505917025dad232cd5e6b922f498706
SHA18d40a12be394ca4cafad3686fd5e56953e2e2c13
SHA256f0316ad1bca03ba4dc6fd3cd0427d1a1db01d01975422f7dea933b0a99ab5b9e
SHA512881b7d8c9a4fa4f1c9e1c7a2e0cf6b3863c3d5c7d7e8301c78e0143e6cabc20250d5a8518455dc732c93c08e9cab3427df8a3906f760c905d7a8730593bca338
-
Filesize
282KB
MD591de87b463436bc69ff2aa428e57a242
SHA1495ace057b3da52b0f6b93896775e8726d2505a0
SHA2565dabe5d883b2f345a212968062f4d505916b6c333d38032f693545f85c10b754
SHA51268d92fa7f3c86bb8c34f3cb64c77f3a02d6959dc506a8069a17843d0fca4a0b39785d5160de70b087b91d2b90d33654001fbc344b4db236dfba7c095a97cb42e
-
Filesize
85KB
MD5e0f3139df5e541874381cee3fb269924
SHA12a3d7c5d34c004d0357d062d58a8368a01e87bc5
SHA25602c591198f9a672b844ccb57cc62b3243079a8df8f0113adffdef689b274e586
SHA5124a2d8c555b1ed42d25fb88b3b421ca1130d30cd7ac684a7896f537cd9e1e1d222532eeed3257fa418b0ed2b95c069f6ee5a06bffcc52b3212be84f4fa148ea00
-
Filesize
82KB
MD5d3457687b0711d1ee73b36482287c210
SHA1c745e200f078fc0efd832c4b980794b4399f8a46
SHA2564a44b734ff24199d590aa9bf05b05bf6fbb91cc06e052e6fd9a320ae84d02b6b
SHA51225a57ca35e42349d3e9f217b968071f045d0fe20d2392294d593c7a0c401759f262f24d77734f75a64bc2b642114205c5eb91ab86908a1e25e0b035c62166f65
-
Filesize
2.3MB
MD584f2db2acef926f4e8b5f4925f434401
SHA11dfedf5dd119a740b1970a75c398c11fb09a5707
SHA2567b0383f36b4989b7580e6af8dcbc0e03d783f2c41d64805b16f807dea035d6f1
SHA51299fa458eddcf4a095e9a3f10cb5521258cabd5b1e1d7b2bc6f466d49e8ad43da5ca781d831be3c2d9faba53f18eaac9a0deb949980ab4669edc3693419c141ce
-
Filesize
2.3MB
MD5bf77967d6633d2aef3909980518bb059
SHA111d71c9676e172edd3404970cce53d89705de46d
SHA2565f1f6ac282e4609e3e023839f2bab6c9f823c81235f7d57e0ef16b4c842f65dc
SHA5124c295b1cde00f0d339613777714c3e8075e8aa5a3fc6e3b148ef9d459408e6924d9a02929ea825ced336ad796e1cf5ab3792ce91f4f1e63174c6abab5a79b5be
-
Filesize
1.8MB
MD512ab9284b7bc5f1a10fdab18ec3387c6
SHA1e3dcf2c85f3ab888fcc0e0555fc0438e85411d86
SHA2568dec56e88b1659ef8629306ac9c12545828ba7077f4b9d60b44adf6e89b82448
SHA512c997de1c1e4926fbef32a40d007696df714e56f987cb57a4fbf20b8f1a749bc83e37927174f778672c82b363980c5512a546990fb3c0172305c15a9c461272ac