Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/06/2024, 18:57
Static task
static1
Behavioral task
behavioral1
Sample
0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe
Resource
win10v2004-20240508-en
General
-
Target
0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe
-
Size
1.8MB
-
MD5
ca6846c9841f9095022576a0078e9577
-
SHA1
6c3af76544e148899e08ac7bf2ca0179e7995587
-
SHA256
0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c
-
SHA512
50938a53e6225985f9460e37e947646b918d43ca436e4bec0be34798e10ce9cb9a198d80df13bfe91773e41734c29019a794c83df5a907bbe5481a16bc5487d1
-
SSDEEP
24576:doRxns7hEBHWf23680860BdnM3u5k4UDs9L8M5GJnWBAn5Kpc+eVjlTaMQWIHwnp:r2B16nMrk4WlP3jTaMje/RnEdG3
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0487cb92b6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1e08a72964.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0487cb92b6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1e08a72964.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0487cb92b6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1e08a72964.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe -
Executes dropped EXE 6 IoCs
pid Process 4596 explortu.exe 3600 0487cb92b6.exe 5016 1e08a72964.exe 5004 num.exe 708 explortu.exe 2520 explortu.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine 0487cb92b6.exe Key opened \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Wine 1e08a72964.exe -
Loads dropped DLL 2 IoCs
pid Process 5004 num.exe 5004 num.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\0487cb92b6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\0487cb92b6.exe" explortu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5016-210-0x0000000000120000-0x0000000000673000-memory.dmp autoit_exe behavioral2/memory/5016-228-0x0000000000120000-0x0000000000673000-memory.dmp autoit_exe behavioral2/memory/5016-234-0x0000000000120000-0x0000000000673000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 4936 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe 4596 explortu.exe 3600 0487cb92b6.exe 5016 1e08a72964.exe 5004 num.exe 5004 num.exe 2520 explortu.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explortu.job 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 num.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString num.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638154562391599" chrome.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4936 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe 4936 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe 4596 explortu.exe 4596 explortu.exe 3600 0487cb92b6.exe 3600 0487cb92b6.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 4168 chrome.exe 4168 chrome.exe 5004 num.exe 5004 num.exe 5004 num.exe 5004 num.exe 2520 explortu.exe 2520 explortu.exe 3752 chrome.exe 3752 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe Token: SeShutdownPrivilege 4168 chrome.exe Token: SeCreatePagefilePrivilege 4168 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4936 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 4168 chrome.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 4168 chrome.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe 5016 1e08a72964.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5004 num.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4936 wrote to memory of 4596 4936 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe 80 PID 4936 wrote to memory of 4596 4936 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe 80 PID 4936 wrote to memory of 4596 4936 0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe 80 PID 4596 wrote to memory of 4436 4596 explortu.exe 87 PID 4596 wrote to memory of 4436 4596 explortu.exe 87 PID 4596 wrote to memory of 4436 4596 explortu.exe 87 PID 4596 wrote to memory of 3600 4596 explortu.exe 88 PID 4596 wrote to memory of 3600 4596 explortu.exe 88 PID 4596 wrote to memory of 3600 4596 explortu.exe 88 PID 4596 wrote to memory of 5016 4596 explortu.exe 89 PID 4596 wrote to memory of 5016 4596 explortu.exe 89 PID 4596 wrote to memory of 5016 4596 explortu.exe 89 PID 5016 wrote to memory of 4168 5016 1e08a72964.exe 90 PID 5016 wrote to memory of 4168 5016 1e08a72964.exe 90 PID 4168 wrote to memory of 4920 4168 chrome.exe 93 PID 4168 wrote to memory of 4920 4168 chrome.exe 93 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 4776 4168 chrome.exe 94 PID 4168 wrote to memory of 2868 4168 chrome.exe 95 PID 4168 wrote to memory of 2868 4168 chrome.exe 95 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96 PID 4168 wrote to memory of 3104 4168 chrome.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe"C:\Users\Admin\AppData\Local\Temp\0e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\0487cb92b6.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\0487cb92b6.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3600
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\1e08a72964.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\1e08a72964.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff4dd7ab58,0x7fff4dd7ab68,0x7fff4dd7ab785⤵PID:4920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:25⤵PID:4776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:85⤵PID:2868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2144 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:85⤵PID:3104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:15⤵PID:672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:15⤵PID:2024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3904 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:15⤵PID:2144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:85⤵PID:1104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:85⤵PID:764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:85⤵PID:4868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1824,i,8266545536440477040,9131447152856945734,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5004
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3276
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:708
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD550e16756b91092522e09ae8d27f6637d
SHA18eaed7df665a3ca8323b2c35be6157dc77168e4b
SHA2562b25b1d910145696e7fae4af6eb215cec6da241ede63f9ca03f1ababe67efc15
SHA5120e43decd75d2d569e548db0469f5aed4cf30b387edfd4080a9f1e46ee99a02985c2b5dd74483d195c333b5b2ab7a5468538bd106224efc1a92a423be91de5d93
-
Filesize
3KB
MD52c5caa514dac849f1b20df238101f557
SHA11b3ab5c97052b5d3bda67c43457e955eac585581
SHA2561b3c6d721a08e47613cbb8ae5e0a67e5cf1b5e8baab11eb81def6f9f729f8edd
SHA512abec37ab5c1ef3b146809bdddd92b9aa72a15f7d6bafb3bce5008aae68a993993cf45cf589a09c806bbb0ed9ef81ad24125602fed3dfb0236c3b2da7ffbb9f67
-
Filesize
2KB
MD5f18b7a79cb6e81703378227bf926ecdb
SHA1a21407e632ee05ba3a576bf1f2ff9bb86415a5b5
SHA256318458323328c7484a9b64c2714ed9d06408661fe423ceee4715e5bae6a60a61
SHA512071bf1e32cea2ffd9a85ba977f331d7231602b555ecef0feae60be541f0496415aa5191eb831b62f7f1ad010f0a6a102d183d0b02d0d9728fecfbb4a2ceded40
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD551835e2ae22ac9dc9aa9a2d52917d3cc
SHA140539d318c9ec9f360984067f9443bc6966c1f08
SHA2560473b26f392453c42aec4658146ece1365110fbcc9827df532a36fd8239803ec
SHA51244e1533fc1397063d2c83b4dc193fc313ce44a948fbbce5724cfbdb81be3b46eabefb8d4caed927aa2b6096934f7851f64d274f1d633a988ab45ab043997ac81
-
Filesize
7KB
MD54c0cf5482900bd14dbbba60429eb1d39
SHA1829efd7369d30724823a69b2c2eb1bfe6c38ed7c
SHA2566653d1c6c73cd60056e473b2765ab47580cad55f8ade660c7047ec2934d432ab
SHA5126c573dbb706c686478d66f8069febad33a8ba433403981f74b922025643c5375bdf99d35c905f7a0dc47aa2f172cde7e5baffa66ecd0356498a6fa4d3b34a549
-
Filesize
16KB
MD551d29036d5ee642dd63ca5bd18757e91
SHA1837208b9ebd5c947ac0ac0f308d3fb538e6f7872
SHA2569a2b4c6c08537c78494ea9741baa53f6f47001f364d41aa52fb76ac47aab9276
SHA5123fc48b703745ad132cfbdcf94bd2bc6d696e8f519e3340ad2be7aa45877eaa14c41a9d2e1f6d50f44b9ca50641a37294e97a3281b715ae79b76db9d6a64d76c3
-
Filesize
281KB
MD51756b571e99aa464390b35ff380cd338
SHA190d747a929a0aa93aac9628f33fc369025b9b57d
SHA256cb5def85051f6e2a0815cf1b50ed8cda841db880b45fdbbfaf1760d8de833531
SHA51244d390084699bb2a96ff29df6247740b56a3ac4b53caf1b5d7f71b01a9c82e16478746ee3aa466d11168fed012b0b3c54bf1967e1cf673e32d6d770b9307f228
-
Filesize
2.3MB
MD52bc10723e1bf0fcf8423f9ffdcd9d20a
SHA13e5d1e782cd1be4998700ffb461c3b61c964fd12
SHA256742e3092da671f1cb4fb624cccf5e810a6d9238e9ce4c83bcbea44a5edfd4b5f
SHA512a6148da40355e7fad6194e0c52ce40867c8e61c0ea85f8a698c1ec62a382bd60893ff3957da784a3778b52d1051e80a39ef6d1e76c5f5c66186ceeed2c8eda7f
-
Filesize
2.3MB
MD52f35b68f6ec03a086b3f0d838f8d44a9
SHA1f31015838b27dd2e6c4a42c7e961b14fd98e50ea
SHA256ac0481b17754f56daf7985a8e4a17d90a991d658c4b9a1d49142a0208a372b9b
SHA5120e47a6ef199755b84c501c4b88d71f87db8e2b269e2cd19b3ac3ecbfe3e41fae5a8398278be28873a34285d526f0b9d864de416a5bb89502cd4bf2e1b7ce384a
-
Filesize
2.4MB
MD526a77a61fb964d82c815da952ebedb23
SHA18d9100fcc2e55df7c20954d459c1a6c5861228a1
SHA2562e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73
SHA512793a6dcd9d3eae88b25a24895f0cf2b23060e8b59788b0bbf357a8fd7df0f536301912dcdd8c2ccf08313f89322a350c5bbc0bdce08a44bedd862cf8d421ab9a
-
Filesize
1.8MB
MD5ca6846c9841f9095022576a0078e9577
SHA16c3af76544e148899e08ac7bf2ca0179e7995587
SHA2560e4e6cd41085b543625c5cf609e02c6fff2073c7c8432743715cc3fb036a9e0c
SHA51250938a53e6225985f9460e37e947646b918d43ca436e4bec0be34798e10ce9cb9a198d80df13bfe91773e41734c29019a794c83df5a907bbe5481a16bc5487d1