Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-07-2024 16:25
Static task
static1
Behavioral task
behavioral1
Sample
7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe
Resource
win10v2004-20240704-en
General
-
Target
7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe
-
Size
2.4MB
-
MD5
1353eeb92749ad19736c9e3d97959c2a
-
SHA1
0bfd65e336cb0a12b150e7212877cf9b5c466500
-
SHA256
7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803
-
SHA512
fb1a3757833a746e811d8ac5a7b3cd486596ba8e1a6ef47efa54f8fd0be71c2719a8d136750a8a551125504072be25ee5b798fa4f1317b5dc53864ba918e8ab7
-
SSDEEP
49152:y4AaYJnc45rm8DRje7HYCRvNZ5ZC3JDwHKi7AbfC1N4nNW5WflHBHVQeefi1FYr6:y4H811maeZRvNja1wHTBN4QEHt+DfRr
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorti.exeexplorti.exeKECGHIJDGC.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KECGHIJDGC.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
KECGHIJDGC.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KECGHIJDGC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KECGHIJDGC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
KECGHIJDGC.exeexplorti.exe26cde1a05a.exeexplorti.exeexplorti.exeexplorti.exepid process 768 KECGHIJDGC.exe 4896 explorti.exe 5012 26cde1a05a.exe 6124 explorti.exe 7080 explorti.exe 5504 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
KECGHIJDGC.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000\Software\Wine KECGHIJDGC.exe Key opened \REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exepid process 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exeKECGHIJDGC.exeexplorti.exe26cde1a05a.exeexplorti.exeexplorti.exeexplorti.exepid process 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe 768 KECGHIJDGC.exe 4896 explorti.exe 5012 26cde1a05a.exe 6124 explorti.exe 7080 explorti.exe 5504 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
KECGHIJDGC.exedescription ioc process File created C:\Windows\Tasks\explorti.job KECGHIJDGC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exe7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3590242114-4229536887-1276274119-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exeKECGHIJDGC.exeexplorti.exemsedge.exemsedge.exechrome.exeexplorti.exeidentity_helper.exemsedge.exeexplorti.exemsedge.exechrome.exeexplorti.exepid process 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe 768 KECGHIJDGC.exe 768 KECGHIJDGC.exe 4896 explorti.exe 4896 explorti.exe 4232 msedge.exe 4232 msedge.exe 4740 msedge.exe 4740 msedge.exe 4748 chrome.exe 4748 chrome.exe 6124 explorti.exe 6124 explorti.exe 6580 identity_helper.exe 6580 identity_helper.exe 6680 msedge.exe 6680 msedge.exe 7080 explorti.exe 7080 explorti.exe 6172 msedge.exe 6172 msedge.exe 6172 msedge.exe 6172 msedge.exe 6512 chrome.exe 6512 chrome.exe 5504 explorti.exe 5504 explorti.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exechrome.exepid process 4740 msedge.exe 4740 msedge.exe 4748 chrome.exe 4748 chrome.exe 4740 msedge.exe 4748 chrome.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exedescription pid process Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeDebugPrivilege 1748 firefox.exe Token: SeDebugPrivilege 1748 firefox.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe Token: SeShutdownPrivilege 4748 chrome.exe Token: SeCreatePagefilePrivilege 4748 chrome.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
KECGHIJDGC.exemsedge.exechrome.exefirefox.exepid process 768 KECGHIJDGC.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
msedge.exechrome.exefirefox.exepid process 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 4748 chrome.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.execmd.exe26cde1a05a.exefirefox.exepid process 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe 4196 cmd.exe 5012 26cde1a05a.exe 1748 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.execmd.exeKECGHIJDGC.exeexplorti.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 4760 wrote to memory of 2828 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe cmd.exe PID 4760 wrote to memory of 2828 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe cmd.exe PID 4760 wrote to memory of 2828 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe cmd.exe PID 4760 wrote to memory of 4196 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe cmd.exe PID 4760 wrote to memory of 4196 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe cmd.exe PID 4760 wrote to memory of 4196 4760 7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe cmd.exe PID 2828 wrote to memory of 768 2828 cmd.exe KECGHIJDGC.exe PID 2828 wrote to memory of 768 2828 cmd.exe KECGHIJDGC.exe PID 2828 wrote to memory of 768 2828 cmd.exe KECGHIJDGC.exe PID 768 wrote to memory of 4896 768 KECGHIJDGC.exe explorti.exe PID 768 wrote to memory of 4896 768 KECGHIJDGC.exe explorti.exe PID 768 wrote to memory of 4896 768 KECGHIJDGC.exe explorti.exe PID 4896 wrote to memory of 5012 4896 explorti.exe 26cde1a05a.exe PID 4896 wrote to memory of 5012 4896 explorti.exe 26cde1a05a.exe PID 4896 wrote to memory of 5012 4896 explorti.exe 26cde1a05a.exe PID 4896 wrote to memory of 2768 4896 explorti.exe cmd.exe PID 4896 wrote to memory of 2768 4896 explorti.exe cmd.exe PID 4896 wrote to memory of 2768 4896 explorti.exe cmd.exe PID 2768 wrote to memory of 4748 2768 cmd.exe chrome.exe PID 2768 wrote to memory of 4748 2768 cmd.exe chrome.exe PID 2768 wrote to memory of 4740 2768 cmd.exe msedge.exe PID 2768 wrote to memory of 4740 2768 cmd.exe msedge.exe PID 2768 wrote to memory of 4588 2768 cmd.exe firefox.exe PID 2768 wrote to memory of 4588 2768 cmd.exe firefox.exe PID 4748 wrote to memory of 3680 4748 chrome.exe chrome.exe PID 4748 wrote to memory of 3680 4748 chrome.exe chrome.exe PID 4740 wrote to memory of 3076 4740 msedge.exe msedge.exe PID 4740 wrote to memory of 3076 4740 msedge.exe msedge.exe PID 4588 wrote to memory of 1748 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 1748 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 1748 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 1748 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 1748 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 1748 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 1748 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 1748 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 1748 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 1748 4588 firefox.exe firefox.exe PID 4588 wrote to memory of 1748 4588 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 1900 1748 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe"C:\Users\Admin\AppData\Local\Temp\7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KECGHIJDGC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\KECGHIJDGC.exe"C:\Users\Admin\AppData\Local\Temp\KECGHIJDGC.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\1000006001\26cde1a05a.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\26cde1a05a.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\75be2b495b.cmd" "5⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffc39a0ab58,0x7ffc39a0ab68,0x7ffc39a0ab787⤵PID:3680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=2264,i,10283328242702336914,1669265588386893742,131072 /prefetch:27⤵PID:2160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=2264,i,10283328242702336914,1669265588386893742,131072 /prefetch:87⤵PID:1580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1884 --field-trial-handle=2264,i,10283328242702336914,1669265588386893742,131072 /prefetch:87⤵PID:2612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=2264,i,10283328242702336914,1669265588386893742,131072 /prefetch:17⤵PID:2264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=2264,i,10283328242702336914,1669265588386893742,131072 /prefetch:17⤵PID:4216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=2264,i,10283328242702336914,1669265588386893742,131072 /prefetch:17⤵PID:4424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=2264,i,10283328242702336914,1669265588386893742,131072 /prefetch:27⤵
- Suspicious behavior: EnumeratesProcesses
PID:6512
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffc36b13cb8,0x7ffc36b13cc8,0x7ffc36b13cd87⤵PID:3076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:27⤵PID:2040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:87⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:17⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:17⤵PID:3404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:17⤵PID:492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:17⤵PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:17⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:17⤵PID:6320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:17⤵PID:6328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3104 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
PID:6580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
PID:6680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,12128828633431222504,9547855558072147535,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1036 /prefetch:27⤵
- Suspicious behavior: EnumeratesProcesses
PID:6172
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"6⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.0.526844707\142739805" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab0a0cbb-afd3-4ecd-8ee8-17c3001d0959} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 1860 1e4a790ec58 gpu8⤵PID:1900
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.1.359629351\1929657942" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e271b36-dccc-488d-a326-0319d3883c16} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 2424 1e49ab89658 socket8⤵PID:1080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.2.922933877\1149566110" -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3224 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ad3e94e-3e61-4777-8cc0-9910808ad655} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 3240 1e4aa331b58 tab8⤵PID:1124
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.3.762681072\265539984" -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 27549 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4df5eeab-f817-4b24-aeda-bec406b8f868} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 3740 1e49ab7ab58 tab8⤵PID:5480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.4.1152442411\1737801580" -childID 3 -isForBrowser -prefsHandle 5136 -prefMapHandle 5128 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3246aea2-fb25-4ec1-9e62-0e7868442144} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 5148 1e4af4ecd58 tab8⤵PID:5856
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.5.1110555460\1207219157" -childID 4 -isForBrowser -prefsHandle 5376 -prefMapHandle 5372 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {023f0883-342d-4208-8432-b6ce3b834c74} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 5388 1e4af4edc58 tab8⤵PID:5864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.6.1740641465\2040224643" -childID 5 -isForBrowser -prefsHandle 5508 -prefMapHandle 5516 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cd1a3f9-7410-43d7-a1d1-0f5e012289cc} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 4708 1e4af4eeb58 tab8⤵PID:5792
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AAAAAAAAAA.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4196
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1040
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5088
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6124
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7080
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
240B
MD5c4a7829e31dfc0d35438020e492fa0a7
SHA16a1e1ea604cf31d3c8467cbb7a648f2e7af19c8e
SHA256d409202a14a6b36793581eb296b3891f58a594bb38c22d5f7c605aba4be6be89
SHA512e2d54ed8144d09a7c99c142346bf067691edae6d214fffd0c00530d957bb7c29fd568612866fa43f944182abf042d8e4bbc03c70036e98282629fa050e87c909
-
Filesize
2KB
MD575a8425a0da1b6b34d66f258355812c1
SHA1a628d1c8c2f66f06d7b8d88da0267670cd2f44d2
SHA256bf8d63224727af67d2a8f5aef9550b4098ea3d27cade8dafa7c94a23409a8aa2
SHA5120eedf8f4b25ebb4a20198099fabe63157e45c173c98d93f1a700c4d94fb691b87e5477936803b51d67b37a7cf6653ff09a9ed512bc420ce4279b8b342a90a0c6
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
520B
MD5a8c8cd4517a5a5cfe9e43cda3f538b99
SHA1184886a9c8f755d129ad5666ce8b85b229dd39ed
SHA256974034566e326aff958eefe488d204c2b74798dddb0dda575a935bd04f210e9b
SHA512f898e90ef4ad0357cb36d2b6fb4effbd041307427503504335fa6ac1306195607dd6ff54d18271706ab8240ad4191841816f339160ae903a6873488484a82f15
-
Filesize
7KB
MD5ed6db5cf434769541a93e3a84cf5eb86
SHA163e43afc51f13c5790f33ef1814ac6bd9f623588
SHA256888526bd36f642329564e336809e581b91f8a388845cb64f8da7c82edfb72b95
SHA5124ce765dddf465f2e9dd619f7c54f87f5266d12b10ab786d823e76df01d6ef1c4952140e0030577295d101eff70f29a6804300e0b78db17e0c257d2d3890a2f0c
-
Filesize
144KB
MD5c93a398a5b8c039033a57c1c11c8598c
SHA131f317e33ec53fc2cff4e3852a59a0b0deed27da
SHA25602269474309375e0fa5443e1f28400b58e343c5de3b9b52ab2801d80b1313536
SHA512ed2b9c912f7f46cb2031345ebb8694755041c9a22a2d308449a6da6e4274e55544d0acf6893e234e2378a8f62022b2a2a0a8f17790caeaa0f082a9bf74a13b60
-
Filesize
152B
MD57ba8d5dce4a5e01e0f7e2bc69039b512
SHA194c46692b28fff7c45a5fe460c490f3fefb7c616
SHA2568292f28cc308853788aeaea7c49e80f8f10f999718bc65baa4e9e13014a7618d
SHA512b206368bd307c276b4d415bbe20ab1c8a31799a3af9cc76ae5e5d38d88144cc854f8cde46271e1e5865fe14383e17884942b4a6230ee20c8f1c46f0424fa0ca9
-
Filesize
152B
MD5491e074ffee79db3045798be635e2447
SHA1f18b68fbeba3f27483ade74c2e6729d8461e0c02
SHA25685c14a21ae9b76c5e941b5806374dbda37d5411123e906d48d510762c8d84ce7
SHA512fd27b53d90a1999e98e4a56678b7ae098da3f800f3159b76a2b4caf7fdfd5767153f08e7325bba7e73b7c3c7f35386b01bea437711fbe31c5e602a468a8731a8
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5fa60d3fd6541d3c82ed52fd57512aa22
SHA160f65bd44ff17128f3614ac508f745eb40e38ec5
SHA2562a4fa7ce0fa922ef84656736cd50611f8bf81d401dbc071b084c0006e0634239
SHA51230f53d094915356aa9a776e465b11f615c461792b75177b5485fa0450facf9411d46e8a8ef3acb0b93c6c500f52e3568eb8cd51dca3148dee9eb5fac1175cbf9
-
Filesize
1KB
MD5f423453a07969d3f8b0a8e558ff77422
SHA160cdc871f4632317f2f0a581e6b84a4fdf2d79f0
SHA256b2fb52e4ceb4267148206f1023f85221f74ac51af74c3fa68b0fef4ca4ee1392
SHA512ae02decff0913d9c64533015a3f034f4298110e82f20068b83e9626fe990f01e805b7755ddd84b4b67189ec3a9d3dc1b58ce2ea7fa7086e96d149dc1fb554179
-
Filesize
5KB
MD599643d12164792946a3a3235f1490453
SHA1937108ae4317b9cd8ec1bda36b3d3561f6310c77
SHA256d7c08e5f6b6dee58a2c5e6b417a1f5aa9a9d2f79e87b0fa00458303ba560d94e
SHA512fc45d1de59ddc6af636a84a668c74b9ccd233a7a6fb98a4253188f59f10a6db3edcf1417c073c65816c0791f8d48c00fad686790b12e747366d1aa4cbd59c7db
-
Filesize
6KB
MD5d090fe6820bd646caed4cc2537855184
SHA1f1a993c7df9eb661942ccf11788cba16aaa8edd7
SHA256c1c470e32a83d4d21401e04907e78cf8acf8d58b766b6f93e5beed59811340c5
SHA512c9f3556b2d911ce35f6d17dee7e3ce3372c60cef3fb21c8c12b1ddb9292155d3587cd4650e769e6291382470dc38458ed31fd13b531c151835fd9553f6bffa5f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD57398c285715b120caacc67470c3da4d9
SHA176e5c19f459bdbe0ff80a5c671fac2f6d9df7e16
SHA2562c7d92cf407fd6995f83a6f347e7383d46120c950a6c4edee118ecb31ce52fca
SHA51227d76fde07baf8f1c5ae15d3cb53cc003d50cf873c73ec69b448588ea3f002fc51dcd84dd0e820163411286fad377181c1b9f44c8f3b506dae6ab717d91b5b3f
-
Filesize
11KB
MD532f8718cdefcd9a415236b8ca97db7b6
SHA10b14709c86afa6f2088b7535d9f3bcbbc0ca3a1b
SHA2569402d6457f2a9fa986f527320d1ffe2face945e941c53635e059607a5963cd88
SHA5124a9fc8a5a7f7bf757b5c1838774e5f5a18b0704a03a01e0b24ce4f027f05b012ba0dc58fafbcabd088972215f4035af15deb67aa0ef440f452ab275d358538af
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4926s7ha.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD562915ad8e76cf8ecb9e97e935341a7da
SHA123dca316694c672f2bbdaa817a4d6653ebf89e52
SHA2563ca06a7f2de543367274a8d2358cb9d8cf5c88fbc0a7eea9472b9e508ba59bd5
SHA512be2581a155da45570c8c02356a852b80ffd388efd08cfb9ba3b41f67c2013c38edfbc7e9593962721225e95c2e3508a39f5cb8e89b6bb503fc348b718240e2f8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4926s7ha.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5d54283de8a0b3b62874a0cd83a16db1e
SHA15ab10f9460307c0e144f89f941b90543592728db
SHA2563af6c5a8cb3d7cfcf3efb98f9bc1e59e186510fc383621b4f01ee49b7d104b5a
SHA512fd0c54ce3ea68500a3c99746fd78d38cbd3db3c64eab3d69628dd8ec65e6ce1cddad1a5234205a9955e90c47b9ca903317a9347cfc63e3ee443310203caf79fb
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4926s7ha.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD539a6d1989afbf9db3b3aa7b7181a1193
SHA19fe5c34fc348a822454c37da4db58b94fb5665b6
SHA2567fb15cc829474b6a5854db191f67be5848a123d54bbc493239bb08f133523070
SHA512ea1587db518e991abffe670e297e3dc87a75d12994fca079da4285df739ce367ee7f927da1b3821f8871fe72b0f97fc7e4d4f1d5ebe175bc9e06763c535f67b3
-
Filesize
2.4MB
MD51353eeb92749ad19736c9e3d97959c2a
SHA10bfd65e336cb0a12b150e7212877cf9b5c466500
SHA2567378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803
SHA512fb1a3757833a746e811d8ac5a7b3cd486596ba8e1a6ef47efa54f8fd0be71c2719a8d136750a8a551125504072be25ee5b798fa4f1317b5dc53864ba918e8ab7
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD5757f36e64d30cf299b25fced0137f062
SHA1cc21e15ab5f98a94a31cef931f8ca423102dfb30
SHA256a829e4c662ac8f6faa8699b7a5d00487cbf478c7845639afd80f40a96c2c6314
SHA512d757159c3a813335ca144ebe86285ef98e8187ad48fc5003bf9de1b20f23c29df24c2223988656f81469badc9527504cd0d2dc03ea5275dae6dd2f3dfd57c672
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4926s7ha.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4926s7ha.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4926s7ha.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4926s7ha.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4926s7ha.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4926s7ha.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4926s7ha.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD568b93ed0a37e21047266a04333542264
SHA19a07389f2bc51ebbb5000e374e448e1c67c226f2
SHA2569a0eef7ae5dba9aeb1eb862aa17a7aa96d130bcd878a4ddc8b77df7e3077bc5a
SHA512d42537fdeb67b2e31ef5c83c6de5435f8889360d46770d64bee98959c1a5d2129bf0233721e43212f32d132b6b2e9a1ec1b063b1de2231074ddd2d8c8f02a86e
-
Filesize
8KB
MD55f33cda114239b396475d71433e1eaec
SHA182aefd07b30414368ce480cdfd7a898fc8d015ce
SHA25672a712a6e09cd2d9dd5471c2b8e17a532de02a236bc59012f59ec441a92fc363
SHA51211851a1c87327e95da6eebbfb92ace988fb4f3500c3f4df11885c355b84a36c9527432ba557e09627ea089fb876daed21a3868a020fd5295e60433495da82210
-
Filesize
7KB
MD5eada481a5ba8c178ae1c9a8ef8596ac0
SHA1c442742b01039a926998550617cbe45df2e68a2a
SHA25689653be53ad439ca392387ab58dcc4b1fcb81b95606f564fe3c930ddf1e29c37
SHA512693caf97b9135183d6ee954a2059bb83fc4cf9df7958b68ef849640a15ea12a5a42431ad092bdd6bc6ec70c72ba31973f2fcb46845770bd74c873f0b084223cc
-
Filesize
6KB
MD5a98be0dfcd3577ef14cef11d890c48a8
SHA1dd155f3dbcee803a8a9d55b614c05d3c33ec48f6
SHA256d8be48a61e30bad179420e35afdc66619e7d64e6f1c808aa83c951b63beb2b71
SHA51260bf77290539df3994a01ed6aee803a24894df87cb5ef4184e488ac2055ee492ba40975cd34bdf775c3d23af2e0439e80f4c89f846706dc8a69b70879b82a4e4
-
Filesize
6KB
MD5e42550d7d3bf5b305dbc4b54d30f86fb
SHA164bcbded36f315cd68b2c2e8b43d5124e57b56fc
SHA256c5fa891f7ba542fe5a902ec3dfdf8199f14bbe059d7d58982d67a5d20b181ccb
SHA5126f3bc0793acb72fa6e67764529599d51fb41ff00d454834fdf464bf90bf56830d48cbc00793a705ea41e49220783051df884a8aae01199d0a7d5c25029c4945e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4926s7ha.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD501bcdfd0a9bc3ebe4576158a5db94242
SHA180be5b126e2240c296527ea35bdbe5c6a72e950d
SHA25631534e4ef1d5a2d61364ffd179d595a18fdb11570aae94345ba30b0e8ca9344f
SHA512ba90e13e800cc136a64bbcc32331bcf1b69510dffa4e28e6f4d5e0b4bd702e388df1c7667b3656f853f2fcaf88d59cb8d05ce5f236d4d3cab54a8344a950866c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e