Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 21:27
Static task
static1
Behavioral task
behavioral1
Sample
06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe
Resource
win10v2004-20240611-en
General
-
Target
06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe
-
Size
1.9MB
-
MD5
055cad687823c779f8a13679749d781b
-
SHA1
5d7b9d4240e3a61b5d1b62c1bdae7d26e04170c8
-
SHA256
06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3
-
SHA512
f5f55dbd5d0a99e4b26daecafb4e1137a7067e25da6f2038153321ea97bcada79df4936c29579fe5539a0f0501d715f3795e0f0f1d36b9f21ca80cf155f87a34
-
SSDEEP
49152:OyKrWGWJAxmH+wQe/Y0vKUVHibkijE4GNZqCjUXP:OOGU4mHvTFRkkU6NwCjUf
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 549831cfb5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c1c43106fe.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 549831cfb5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 549831cfb5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c1c43106fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c1c43106fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation explortu.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation c1c43106fe.exe -
Executes dropped EXE 6 IoCs
pid Process 5060 explortu.exe 2276 549831cfb5.exe 3076 c1c43106fe.exe 2908 num.exe 5224 explortu.exe 3108 explortu.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe Key opened \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine 549831cfb5.exe Key opened \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine c1c43106fe.exe Key opened \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine explortu.exe -
Loads dropped DLL 2 IoCs
pid Process 2908 num.exe 2908 num.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\549831cfb5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\549831cfb5.exe" explortu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3076-213-0x00000000009A0000-0x0000000000EF7000-memory.dmp autoit_exe behavioral1/memory/3076-233-0x00000000009A0000-0x0000000000EF7000-memory.dmp autoit_exe behavioral1/memory/3076-240-0x00000000009A0000-0x0000000000EF7000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 4476 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe 5060 explortu.exe 2276 549831cfb5.exe 3076 c1c43106fe.exe 2908 num.exe 2908 num.exe 5224 explortu.exe 3108 explortu.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explortu.job 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString num.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 num.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638244514558626" chrome.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4476 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe 4476 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe 5060 explortu.exe 5060 explortu.exe 2276 549831cfb5.exe 2276 549831cfb5.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 1688 chrome.exe 1688 chrome.exe 2908 num.exe 2908 num.exe 2908 num.exe 2908 num.exe 5224 explortu.exe 5224 explortu.exe 3108 explortu.exe 3108 explortu.exe 1872 chrome.exe 1872 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe Token: SeShutdownPrivilege 1688 chrome.exe Token: SeCreatePagefilePrivilege 1688 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 3076 c1c43106fe.exe 3076 c1c43106fe.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 3076 c1c43106fe.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 3076 c1c43106fe.exe 1688 chrome.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 3076 c1c43106fe.exe 3076 c1c43106fe.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 3076 c1c43106fe.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 1688 chrome.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe 3076 c1c43106fe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2908 num.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4476 wrote to memory of 5060 4476 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe 87 PID 4476 wrote to memory of 5060 4476 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe 87 PID 4476 wrote to memory of 5060 4476 06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe 87 PID 5060 wrote to memory of 4824 5060 explortu.exe 92 PID 5060 wrote to memory of 4824 5060 explortu.exe 92 PID 5060 wrote to memory of 4824 5060 explortu.exe 92 PID 5060 wrote to memory of 2276 5060 explortu.exe 93 PID 5060 wrote to memory of 2276 5060 explortu.exe 93 PID 5060 wrote to memory of 2276 5060 explortu.exe 93 PID 5060 wrote to memory of 3076 5060 explortu.exe 95 PID 5060 wrote to memory of 3076 5060 explortu.exe 95 PID 5060 wrote to memory of 3076 5060 explortu.exe 95 PID 3076 wrote to memory of 1688 3076 c1c43106fe.exe 98 PID 3076 wrote to memory of 1688 3076 c1c43106fe.exe 98 PID 1688 wrote to memory of 2684 1688 chrome.exe 100 PID 1688 wrote to memory of 2684 1688 chrome.exe 100 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 3220 1688 chrome.exe 101 PID 1688 wrote to memory of 4912 1688 chrome.exe 102 PID 1688 wrote to memory of 4912 1688 chrome.exe 102 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103 PID 1688 wrote to memory of 4476 1688 chrome.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe"C:\Users\Admin\AppData\Local\Temp\06eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵PID:4824
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\549831cfb5.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\549831cfb5.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\c1c43106fe.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\c1c43106fe.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeab93ab58,0x7ffeab93ab68,0x7ffeab93ab785⤵PID:2684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:25⤵PID:3220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:85⤵PID:4912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:85⤵PID:4476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:15⤵PID:3436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:15⤵PID:812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:15⤵PID:4472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:85⤵PID:5260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:85⤵PID:5320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:85⤵PID:5328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1948,i,6339736914107162597,13742834579767778411,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1872
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2908
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5224
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD597ae0610362fdee411221dc605828c76
SHA1dfa13d87906ffd36f7927427d67d75aaa49e1103
SHA25660b1ad18abe9bdba3debcc85135c0654e83a0abd8b40bea7babc5e5c840c3d74
SHA51289cf302f591a8843fd064b718b4a805429bdba3d21bef669d7881883b4d6b31ac8b68d39c3be77d96db0097085d86f3e0df656ce532ec37f568abb842b6c512c
-
Filesize
2KB
MD5ed4e02f19536070c35ce1f5aa0b6739d
SHA1788a6359b75bfc84d3a3c18dbd98c7623ddea666
SHA256a65d9b8552d2faf8219c78a00d2b139b0b16376d1183eae3c5d8c07ed96ee5af
SHA5128e94128722056fde245c126260a20aa2936c354b1324ce589d3b2405557992a6b2d10f5c905526db615ab5c39f83ed44683b138436991ff4b2eb152eba2eab73
-
Filesize
3KB
MD5ab153be0958ddad87c60d03c628f0f6b
SHA197683051b5094d5593d8df3ac8c5a02d8b23f349
SHA2566e045f1239ec5e40da837affde4dcedcafd741bc1a34383491c2cc9588605c5c
SHA5128fc4dac7150958ea49832e68b710aee9518a957d262dd74d8349e35985c683a3fbd039213badc6c73197d9f368f33bade6aeaf75a5d84b098ca2fb656a4c7236
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5978784edf32acc49e8db15e2d8aaa55d
SHA19f9e29a005f2359cfe3715ae04a1e691ce524631
SHA256569f93d4d1aab38dde67067d933b395f3637fe33835103f5b7dd216cf9a9afa5
SHA512e2a3d77477f462e893de7ad4d199f86e9dd7991c5137e1f5f5ac76fe96ebe6fe5ef318ffc8c604d423efd218b8e6159cbed56f20588baf7c64c66e37ac3dc00a
-
Filesize
7KB
MD5e262ee54411b10f7cad56c0f7a086ab9
SHA194b100f19c59ca409eab7ecd2e9f5bdea2dc5f72
SHA25662b3f3b21cce762e3baaa7120e73bdfb67c6d9d8834921b287dab06fe387bb5f
SHA5121d06fd79db661c4d347b0f737d16c1858361af6caaca5536d26ae34eb3184437e261e3e09e4016de375f5997373b13adc34e34173f0b9e574ec00b9fb18a2072
-
Filesize
16KB
MD54a5488621fabf5accb9c2ff15e9dca9d
SHA1a5847f454409e043fc8cf836b782bca1443b5e28
SHA25681f0c7bfff98884cbae0ffed0b2f2d0fc031adaeb6f61ce2398c6036dc5ba905
SHA5120acc980ef8c2dbe7ca8bbf695219dcc752d38aa5939939388394b7b4c3f0a6f6a4cb5aa978b5bba71b65ae6265ace271c7096e0890229e1f23dcbf08add3359e
-
Filesize
281KB
MD5295d378f71b6c6b59288f55cb2c53e14
SHA1adbfc1b663ac9e92fd7c5623633167f1fd734fee
SHA256610cba1ef66a8df5d658af6b8afc939833f57b7ecab2487367ae0f17abc9d755
SHA5129667dbba883adb04a6e5fcd73b7e162d1e6de1d804e5e2d9c6779e29d0360ce792ff1dc34bc2e564c047d714e55641bed91d924c1d6e0cacf0ef7a7d0bf8673c
-
Filesize
2.3MB
MD55deeae1200cb6f919d3599e9b60115a5
SHA1443bdeadb0556d10660eee580cb01512698240d6
SHA2561e7a8c11c988412f44805b3b7f7c560352b6aed04305912beef9d458a2ecd3ff
SHA512d8e259f3c4e5b85c1cf1d7abb3abb960b521a45b40936323a015908b957e13d03b750b25e6646d320dd75f4d0e420e852c92aae1cc6a02abeb342b5f67281a16
-
Filesize
2.3MB
MD5ba3adfc01d77ee2e3a3a85c76f6d5e1f
SHA10f6b9682a80b0588323ad8a5626ffc17ca9e7b8b
SHA256f68f34be86c971e8679f8689c73e39016a9f009d817ad77f52116ee2c9138104
SHA512b40aab38c70dd5becc65be38c93fb42cc40cf674b2292b4baae87b29c348b468009e824f1452b060d13a5a65a2e02f0987819d87b21614a9b33a7be0e6d09b66
-
Filesize
2.4MB
MD526a77a61fb964d82c815da952ebedb23
SHA18d9100fcc2e55df7c20954d459c1a6c5861228a1
SHA2562e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73
SHA512793a6dcd9d3eae88b25a24895f0cf2b23060e8b59788b0bbf357a8fd7df0f536301912dcdd8c2ccf08313f89322a350c5bbc0bdce08a44bedd862cf8d421ab9a
-
Filesize
1.9MB
MD5055cad687823c779f8a13679749d781b
SHA15d7b9d4240e3a61b5d1b62c1bdae7d26e04170c8
SHA25606eee69adc484d95d3458f46b6098c135618ea4bb186eb1df5245c08e55fcde3
SHA512f5f55dbd5d0a99e4b26daecafb4e1137a7067e25da6f2038153321ea97bcada79df4936c29579fe5539a0f0501d715f3795e0f0f1d36b9f21ca80cf155f87a34