Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 01:05
Static task
static1
Behavioral task
behavioral1
Sample
1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe
Resource
win10v2004-20240508-en
General
-
Target
1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe
-
Size
1.9MB
-
MD5
fd33c5a6ec043a22780094069ecd4f90
-
SHA1
2716ddb4df3dbe2c859b5e1dd1b29d1ff7583012
-
SHA256
1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c
-
SHA512
5544cfe5f7b6ab87c5b5141834d251d0b78993e9b25aa3a8d709cb85192cd9af4c30e23ea46df362b1855e01eb0b06761a66b6a9c2af168ec13ecd0bdf1f40a0
-
SSDEEP
49152:zMeVDM2T+DYFlJN6q4CpQYE5AS5lEABphy:4e+xMMBCplEyS56G
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 41ae5ccb64.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 020303d83a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IJEGDBGDBF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 41ae5ccb64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 41ae5ccb64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IJEGDBGDBF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IJEGDBGDBF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 020303d83a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 020303d83a.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation num.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation explortu.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 020303d83a.exe -
Executes dropped EXE 7 IoCs
pid Process 2196 explortu.exe 1264 41ae5ccb64.exe 1328 020303d83a.exe 2404 num.exe 940 IJEGDBGDBF.exe 4376 explortu.exe 2836 explortu.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine 41ae5ccb64.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine 020303d83a.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine IJEGDBGDBF.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine explortu.exe -
Loads dropped DLL 2 IoCs
pid Process 2404 num.exe 2404 num.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\41ae5ccb64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\41ae5ccb64.exe" explortu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1328-204-0x0000000000B60000-0x00000000010D3000-memory.dmp autoit_exe behavioral1/memory/1328-238-0x0000000000B60000-0x00000000010D3000-memory.dmp autoit_exe behavioral1/memory/1328-245-0x0000000000B60000-0x00000000010D3000-memory.dmp autoit_exe behavioral1/memory/1328-246-0x0000000000B60000-0x00000000010D3000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 2024 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe 2196 explortu.exe 1264 41ae5ccb64.exe 1328 020303d83a.exe 2404 num.exe 2404 num.exe 940 IJEGDBGDBF.exe 4376 explortu.exe 2836 explortu.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explortu.job 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 num.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString num.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638375233104920" chrome.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2024 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe 2024 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe 2196 explortu.exe 2196 explortu.exe 1264 41ae5ccb64.exe 1264 41ae5ccb64.exe 1328 020303d83a.exe 1328 020303d83a.exe 1848 chrome.exe 1848 chrome.exe 2404 num.exe 2404 num.exe 2404 num.exe 2404 num.exe 940 IJEGDBGDBF.exe 940 IJEGDBGDBF.exe 4376 explortu.exe 4376 explortu.exe 2836 explortu.exe 2836 explortu.exe 1124 chrome.exe 1124 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe Token: SeShutdownPrivilege 1848 chrome.exe Token: SeCreatePagefilePrivilege 1848 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1328 020303d83a.exe 1328 020303d83a.exe 1848 chrome.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1848 chrome.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe 1328 020303d83a.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2404 num.exe 3948 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2196 2024 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe 81 PID 2024 wrote to memory of 2196 2024 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe 81 PID 2024 wrote to memory of 2196 2024 1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe 81 PID 2196 wrote to memory of 2612 2196 explortu.exe 86 PID 2196 wrote to memory of 2612 2196 explortu.exe 86 PID 2196 wrote to memory of 2612 2196 explortu.exe 86 PID 2196 wrote to memory of 1264 2196 explortu.exe 88 PID 2196 wrote to memory of 1264 2196 explortu.exe 88 PID 2196 wrote to memory of 1264 2196 explortu.exe 88 PID 2196 wrote to memory of 1328 2196 explortu.exe 91 PID 2196 wrote to memory of 1328 2196 explortu.exe 91 PID 2196 wrote to memory of 1328 2196 explortu.exe 91 PID 1328 wrote to memory of 1848 1328 020303d83a.exe 92 PID 1328 wrote to memory of 1848 1328 020303d83a.exe 92 PID 1848 wrote to memory of 4340 1848 chrome.exe 94 PID 1848 wrote to memory of 4340 1848 chrome.exe 94 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 2544 1848 chrome.exe 95 PID 1848 wrote to memory of 4976 1848 chrome.exe 96 PID 1848 wrote to memory of 4976 1848 chrome.exe 96 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97 PID 1848 wrote to memory of 3560 1848 chrome.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe"C:\Users\Admin\AppData\Local\Temp\1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\41ae5ccb64.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\41ae5ccb64.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1264
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\020303d83a.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\020303d83a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd3e6cab58,0x7ffd3e6cab68,0x7ffd3e6cab785⤵PID:4340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1920,i,10279810839164875470,11942339223055202515,131072 /prefetch:25⤵PID:2544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1920,i,10279810839164875470,11942339223055202515,131072 /prefetch:85⤵PID:4976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1920,i,10279810839164875470,11942339223055202515,131072 /prefetch:85⤵PID:3560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1920,i,10279810839164875470,11942339223055202515,131072 /prefetch:15⤵PID:4200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1920,i,10279810839164875470,11942339223055202515,131072 /prefetch:15⤵PID:464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3924 --field-trial-handle=1920,i,10279810839164875470,11942339223055202515,131072 /prefetch:15⤵PID:5060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 --field-trial-handle=1920,i,10279810839164875470,11942339223055202515,131072 /prefetch:85⤵PID:368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1920,i,10279810839164875470,11942339223055202515,131072 /prefetch:85⤵PID:2784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 --field-trial-handle=1920,i,10279810839164875470,11942339223055202515,131072 /prefetch:85⤵PID:1772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1920,i,10279810839164875470,11942339223055202515,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJEGDBGDBF.exe"4⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\IJEGDBGDBF.exe"C:\Users\Admin\AppData\Local\Temp\IJEGDBGDBF.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:940
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHIECGCAEB.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3948
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4376
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD5848f2f73fc11853bcb50bbe6e1bed918
SHA10774bb40bef6f6b1543fe6e0406d1fa140c739d6
SHA256aa2e4a8731538194bc2d6d387533b0072fe1d085a1419a51c7d370562c9d0996
SHA512f14fd4c862a2313c385c9d70aca5e374648033836690ff24b1fd77584a739675aec0f2ea002cba28720b64a5a384394f263b5fb822dea46f49711510a96119e4
-
Filesize
2KB
MD5a0b58d1861580f7afb12ca83d486b79e
SHA17ba972fd228f06843e8666fe00c1f3bbb674a12c
SHA25661c6779ca8bf8979e8b61e14c7bc2dae870ece1166889b4d9abbc8d2dd901288
SHA512d28bb52646e1bc5faec4c8220d8a7f3751742cd476fe082742db74f545b7b59d93975ac12242a62557978dd94a38c40c26ef291e53068bb803a1a756a30196f5
-
Filesize
2KB
MD5d809ed0b769acfc280e9b4e590312d0b
SHA13ff02f9fc8aae97c745fc13b84b8c4e55c82c89f
SHA256e0505f10a079fa98ce92bd9261f059874d8a0e2a60c5bbc34ba7fd22c4e55598
SHA5122f039572b16e35b0ff26e297c65d0349fdec8bc01135d77b252de59b11e0af5284ec6bbabf2099da380bddf2139f1cf76a74e2c2ac3dedcf813d6b3e17ce9624
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5a8be9bc9d428a83891aae9bc46bdf83a
SHA12111be8455c95ef646188cca55fdc16d0f0f82b7
SHA256b10d09f602f8f5a90bd470caf628c4f03576f5d82c6864e721e55858e2c41f2e
SHA512e1ecbc7cd2fd0a5a28157e053d4c7623da6fc65dd76241c5c643f6651b60953df8e056e6ef8764783322238b9505dcaf1d5a670bf612b7f485c9981abbc7a761
-
Filesize
7KB
MD5c1a1f096463e634b08c85c874b290bd0
SHA1bed4e45ae56250f2c13406d6a477500bd81f1ebb
SHA2564b324d9a45c7d12eb0e51415f79498eab39a36f6c547d55053145b0f631996dd
SHA512873b61f259b8321f630e7876fd61bdbf79d221c51dd1e3e8d88f6cf478a86cd84b80bfac7abb7f1b8e549e65358ebb268bb6f4a23225b11b50205a9df3be02d2
-
Filesize
16KB
MD572714eeb72c2ff1c4335535d604eebee
SHA15f5eee2c67c9ed756fb726a110aee4c0832cc725
SHA256ae6f4ff4d0f04cfc9bebd14fe1d8466a6b1d3f7e81c551b494dbcef688fb8bb7
SHA5128ae694e4059d3df17932aa999de57012e5ffac1dd7e278f0d2d80e57c2994297c72d00055e9061bcf2caeaab9ab1b4a98af3281c300113ad61b23d960da2d6d1
-
Filesize
272KB
MD56db6767d56d1d6b163e7751ae05172bc
SHA11c7f22639566240b35ad6e422aa0f244d055bb8c
SHA256c594e633e1aa464e99247dff114b33e6a759d4ab2b43f6a0d84afa52209a5796
SHA512faf583c0cbecef2eb34929944fae2afe15c972840da7845676af4f7b5767340ea4c509452d2ef2810a08a6b2871f1e868ac76ef9ff7e6e2d05766b283f389c3e
-
Filesize
2.3MB
MD56de1f49c539ba179be15afd803315274
SHA1f8502f01c4c71fc503ae0364723a4adf34da97ac
SHA256468f2d614362695689dd1d68f76fa6178dad5a267b4f3815bc87a68b16c22fa6
SHA51236e1d8691d824ef46b72fdcc7428f1d8714aae15840aab06af41e7aab49afcf79164aa8cc8e5034bae54db3434d516428008b1cd092155736eb89dc12ae89e98
-
Filesize
2.3MB
MD5c50e8f81aaec67d352801de3c7c02247
SHA1459bcd05d8b5bf72668e69d984197ef281e8dafc
SHA2564724b7d6ee30a4b79a06ea48edc7483ba3667c62182388047c52b58a9b5776fd
SHA51221b9ed60298e16cd0aaf96f17d0790252b66acdddff80ecf7d9490f18d59c3890e97eb4beb8e440df50d1e64b77cda5b1c619e2292354e17b4e97ee92f462a28
-
Filesize
2.4MB
MD5e3cbb274e66e95a1b7ee5c05d87abbd5
SHA193d96f3d0b6e5d13242c88af9dc9648cbc60fd0b
SHA256e6c76393ad6b5516ed6e84adbd0687f981bf3c419e99d9c235a6948e63d383d4
SHA5128fe240992730512b3647140cdc14ee37a94c4b3154b787460bd1a30d99053e48d2e5fb20ac6342b0ec2a36c998d78df22d9f81ee9e49cd303ad8b6ea51757c76
-
Filesize
1.9MB
MD5fd33c5a6ec043a22780094069ecd4f90
SHA12716ddb4df3dbe2c859b5e1dd1b29d1ff7583012
SHA2561e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c
SHA5125544cfe5f7b6ab87c5b5141834d251d0b78993e9b25aa3a8d709cb85192cd9af4c30e23ea46df362b1855e01eb0b06761a66b6a9c2af168ec13ecd0bdf1f40a0