Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-07-2024 18:10
Static task
static1
Behavioral task
behavioral1
Sample
10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe
Resource
win10v2004-20240704-en
General
-
Target
10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe
-
Size
1.8MB
-
MD5
d5d3a63a0c127480a4f3c3acde73a130
-
SHA1
6386347bb05c432a70895ba02cfbaec68a9067f0
-
SHA256
10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7
-
SHA512
c7bd14f45005b1ff14a5cdf6b80777f97ee901445607e09da25c1bd4123c662f72ecd122578eccaca846b455fc04510cddc9f25fed6405d915cb04ea9a239180
-
SSDEEP
49152:lggNvcrdnJUUUFTIb8TDHbhqDxX+aPGILatdM:qgFcrdnJUUUFTq8nHbhoOaPGILatm
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exeexplorti.exeJEBGCBAFCG.exeBGCFBGDHJK.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JEBGCBAFCG.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BGCFBGDHJK.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
BGCFBGDHJK.exeexplorti.exe10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exeJEBGCBAFCG.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BGCFBGDHJK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JEBGCBAFCG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BGCFBGDHJK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JEBGCBAFCG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exe62c4b63e7d.exeJEBGCBAFCG.exeBGCFBGDHJK.exeexplorti.exeexplorti.exeexplorti.exepid process 4964 explorti.exe 3216 62c4b63e7d.exe 5256 JEBGCBAFCG.exe 6000 BGCFBGDHJK.exe 6700 explorti.exe 5764 explorti.exe 4788 explorti.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
BGCFBGDHJK.exeexplorti.exeexplorti.exeexplorti.exe10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exeexplorti.exeJEBGCBAFCG.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1945933150-1754111531-3454729080-1000\Software\Wine BGCFBGDHJK.exe Key opened \REGISTRY\USER\S-1-5-21-1945933150-1754111531-3454729080-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1945933150-1754111531-3454729080-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1945933150-1754111531-3454729080-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1945933150-1754111531-3454729080-1000\Software\Wine 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe Key opened \REGISTRY\USER\S-1-5-21-1945933150-1754111531-3454729080-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1945933150-1754111531-3454729080-1000\Software\Wine JEBGCBAFCG.exe -
Loads dropped DLL 2 IoCs
Processes:
62c4b63e7d.exepid process 3216 62c4b63e7d.exe 3216 62c4b63e7d.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exeexplorti.exe62c4b63e7d.exeJEBGCBAFCG.exeBGCFBGDHJK.exeexplorti.exeexplorti.exepid process 952 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe 4964 explorti.exe 3216 62c4b63e7d.exe 3216 62c4b63e7d.exe 5256 JEBGCBAFCG.exe 6000 BGCFBGDHJK.exe 6700 explorti.exe 5764 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exedescription ioc process File created C:\Windows\Tasks\explorti.job 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exe62c4b63e7d.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 62c4b63e7d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 62c4b63e7d.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1945933150-1754111531-3454729080-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exeexplorti.exe62c4b63e7d.exemsedge.exemsedge.exechrome.exemsedge.exeJEBGCBAFCG.exeBGCFBGDHJK.exeidentity_helper.exeexplorti.exeexplorti.exemsedge.exechrome.exepid process 952 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe 952 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe 4964 explorti.exe 4964 explorti.exe 3216 62c4b63e7d.exe 3216 62c4b63e7d.exe 5108 msedge.exe 5108 msedge.exe 2248 msedge.exe 2248 msedge.exe 3508 chrome.exe 3508 chrome.exe 3216 62c4b63e7d.exe 3216 62c4b63e7d.exe 5260 msedge.exe 5260 msedge.exe 5256 JEBGCBAFCG.exe 5256 JEBGCBAFCG.exe 6000 BGCFBGDHJK.exe 6000 BGCFBGDHJK.exe 6588 identity_helper.exe 6588 identity_helper.exe 6700 explorti.exe 6700 explorti.exe 5764 explorti.exe 5764 explorti.exe 6852 msedge.exe 6852 msedge.exe 6852 msedge.exe 6852 msedge.exe 6980 chrome.exe 6980 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exechrome.exepid process 2248 msedge.exe 2248 msedge.exe 3508 chrome.exe 3508 chrome.exe 2248 msedge.exe 3508 chrome.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exechrome.exedescription pid process Token: SeDebugPrivilege 2328 firefox.exe Token: SeDebugPrivilege 2328 firefox.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe Token: SeShutdownPrivilege 3508 chrome.exe Token: SeCreatePagefilePrivilege 3508 chrome.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exemsedge.exechrome.exefirefox.exepid process 952 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
msedge.exechrome.exefirefox.exepid process 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 2328 firefox.exe 2328 firefox.exe 2328 firefox.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 2248 msedge.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe 3508 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
62c4b63e7d.exefirefox.exepid process 3216 62c4b63e7d.exe 2328 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exeexplorti.execmd.exechrome.exefirefox.exemsedge.exefirefox.exedescription pid process target process PID 952 wrote to memory of 4964 952 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe explorti.exe PID 952 wrote to memory of 4964 952 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe explorti.exe PID 952 wrote to memory of 4964 952 10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe explorti.exe PID 4964 wrote to memory of 3216 4964 explorti.exe 62c4b63e7d.exe PID 4964 wrote to memory of 3216 4964 explorti.exe 62c4b63e7d.exe PID 4964 wrote to memory of 3216 4964 explorti.exe 62c4b63e7d.exe PID 4964 wrote to memory of 3144 4964 explorti.exe cmd.exe PID 4964 wrote to memory of 3144 4964 explorti.exe cmd.exe PID 4964 wrote to memory of 3144 4964 explorti.exe cmd.exe PID 3144 wrote to memory of 3508 3144 cmd.exe chrome.exe PID 3144 wrote to memory of 3508 3144 cmd.exe chrome.exe PID 3144 wrote to memory of 2248 3144 cmd.exe msedge.exe PID 3144 wrote to memory of 2248 3144 cmd.exe msedge.exe PID 3144 wrote to memory of 2564 3144 cmd.exe CompPkgSrv.exe PID 3144 wrote to memory of 2564 3144 cmd.exe CompPkgSrv.exe PID 3508 wrote to memory of 5028 3508 chrome.exe chrome.exe PID 3508 wrote to memory of 5028 3508 chrome.exe chrome.exe PID 2564 wrote to memory of 2328 2564 firefox.exe firefox.exe PID 2564 wrote to memory of 2328 2564 firefox.exe firefox.exe PID 2564 wrote to memory of 2328 2564 firefox.exe firefox.exe PID 2564 wrote to memory of 2328 2564 firefox.exe firefox.exe PID 2564 wrote to memory of 2328 2564 firefox.exe firefox.exe PID 2564 wrote to memory of 2328 2564 firefox.exe firefox.exe PID 2564 wrote to memory of 2328 2564 firefox.exe firefox.exe PID 2564 wrote to memory of 2328 2564 firefox.exe firefox.exe PID 2564 wrote to memory of 2328 2564 firefox.exe firefox.exe PID 2564 wrote to memory of 2328 2564 firefox.exe firefox.exe PID 2564 wrote to memory of 2328 2564 firefox.exe firefox.exe PID 2248 wrote to memory of 8 2248 msedge.exe msedge.exe PID 2248 wrote to memory of 8 2248 msedge.exe msedge.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe PID 2328 wrote to memory of 1280 2328 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe"C:\Users\Admin\AppData\Local\Temp\10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\1000006001\62c4b63e7d.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\62c4b63e7d.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JEBGCBAFCG.exe"4⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\JEBGCBAFCG.exe"C:\Users\Admin\AppData\Local\Temp\JEBGCBAFCG.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5256
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BGCFBGDHJK.exe"4⤵PID:1668
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5760
-
-
C:\Users\Admin\AppData\Local\Temp\BGCFBGDHJK.exe"C:\Users\Admin\AppData\Local\Temp\BGCFBGDHJK.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6000
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\17d9839f7b.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fff1eacab58,0x7fff1eacab68,0x7fff1eacab785⤵PID:5028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=2308,i,2899821634135519630,6312355364892312636,131072 /prefetch:25⤵PID:5088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=2308,i,2899821634135519630,6312355364892312636,131072 /prefetch:85⤵PID:952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1904 --field-trial-handle=2308,i,2899821634135519630,6312355364892312636,131072 /prefetch:85⤵PID:3712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=2308,i,2899821634135519630,6312355364892312636,131072 /prefetch:15⤵PID:2820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=2308,i,2899821634135519630,6312355364892312636,131072 /prefetch:15⤵PID:5032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4064 --field-trial-handle=2308,i,2899821634135519630,6312355364892312636,131072 /prefetch:15⤵PID:6052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=880 --field-trial-handle=2308,i,2899821634135519630,6312355364892312636,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:6980
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fff1e2f3cb8,0x7fff1e2f3cc8,0x7fff1e2f3cd85⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2036 /prefetch:25⤵PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:85⤵PID:1408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:15⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:15⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:15⤵PID:5760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:15⤵PID:6044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:15⤵PID:6060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:15⤵PID:5940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:15⤵PID:3216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2285144161358472408,17559363956838394470,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4524 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:6852
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"4⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.0.1049184584\16076465" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef5e387e-3049-4290-ad0d-7060dd19c148} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 1840 23ad9d0e358 gpu6⤵PID:1280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.1.660221645\1958306601" -parentBuildID 20230214051806 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d767f03-8f46-4d54-860d-a800e061ccaf} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 2428 23acd086f58 socket6⤵PID:452
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.2.755050910\590729010" -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faa54052-585c-4fe4-85c5-d411b326ea83} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 3304 23adcf52158 tab6⤵PID:1116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.3.374945574\1370623374" -childID 2 -isForBrowser -prefsHandle 2904 -prefMapHandle 3040 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8daec22-7609-4b0a-8c2f-7f59112e4cf0} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 3568 23adfbcb658 tab6⤵PID:3688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.4.1329318979\2056792257" -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5248 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96637e18-ec2b-4d34-8e0c-ae7f6e830693} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 5244 23ae1c78d58 tab6⤵PID:5164
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.5.492823604\397636365" -childID 4 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d33982db-1d53-4425-ac27-424d9a7a20b2} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 5384 23ae1c79f58 tab6⤵PID:5172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2328.6.86017917\285922474" -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5592 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98992526-4183-47da-97ca-fd8a71fd7f97} 2328 "\\.\pipe\gecko-crash-server-pipe.2328" 5576 23ae1c7a558 tab6⤵PID:5188
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2564
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5268
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6700
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5764
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:4788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
240B
MD55dc7a21302a0e96cdae44009fc1f3dcf
SHA17239e20aa99ee8ce52a646595fd1e667fd1e04b0
SHA2566a4edf1756117616afdf413f1e8dc52e73bbbc5d796a2097524f3c9d171a8c2e
SHA512f27cc1beebb4d1e91f5743fc881ff548118ed332ad31d204ca681c0f2289d6bb36ac2c9d4e22df01b9e8332216cbc36d54518116baa56ed02d461b2159b53600
-
Filesize
2KB
MD589eea8745b5c4be9641ad1342fff1ed9
SHA1bd081a65e008850e5f6ac2eec8a3a95199b023f2
SHA256e317bcc317d4d3ad12571d1c94c4d847b6bab2c691683f71c405782b9ffddd70
SHA5122f3039a62f11e766099bc518b072a6ace48164f62f22609c0afa05d465cee9c764993a9a461d9730c25037e5038bd31d6282dc7f800a25461e8434c5efac6092
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
522B
MD5209f04a06cd3f0598f141c5318c41728
SHA1ebc613b942a091e2fcf6d17047c836adf37c83f8
SHA25638c07120f4345ec1782ccf9a1114b7974ae3b034879d9899a1f4202e267ee4dd
SHA5129d5208eac6dc5b7eb6262718859caa0e7318a5e2cb2eb549499cd9dce4cfd2a4eba3b0a985b244a6fc26b062b0843315d2c99aeb9d12897d2ccd8cffefacecaf
-
Filesize
7KB
MD57c0ab1e33d58c0fcfd78f13c8cb4a305
SHA1050991b646b778ca01c7c33e865b4b474182fbcb
SHA256c5985162b630742034c7807ce64d6208f3a2444890045e20cc240ddb43fb00c0
SHA512a05122f96e40804fa319bba1e0d7ad441f06c34514ab96f8f1244f6639ee0064e04e3b4d93347da83b90dc5b46e81e61d5fdbe7799ec37da1aaac7bbc6ff9f2d
-
Filesize
144KB
MD543ddc83306542733d65353a25123e361
SHA146a70943992d16f240e02e8c7da1e8ef13eb04f4
SHA256fbedd4658d155ceeb60df7e6ccae2c5e03213394023d700797b3030080ece512
SHA51281452eb50ca2ad0ee529d82c0e3dee789bdd4df834ebb94136f0974f800457d846475577685bcf73f1816a3b14f88a65a9af7c9b2535bf6fa5d5d0208c43bdb6
-
Filesize
152B
MD511b22949a84a750056bef0aa6ea4fc45
SHA1c3d49da0344a2bb3cebbce6569b1fd223aa2ebd8
SHA25659db861ff42f39a5f777bd9b8a167b7b15c96e60ed148ea875a9f1f0d4caaa6f
SHA51201bbc38a4b8fb8a53c3897d63d3362c8a980fcb395986671cfd13e0fa893a68ab3e45379127da69565e0b1e4125a41834c62b06b8d9b852c6b71a1ec68a930b0
-
Filesize
152B
MD59b1f20c797906f82fd003270485ceaef
SHA151ee0859382d77aba329e0ec2dad81b383c534ed
SHA2567980e988f80ffc29a79b2d13c0d4160ad1d1f77fb6ddd95b7ec263b7421a0c91
SHA5127b8f859ffa55759a1e90540754bc80a4218ddf2ee953736865ba4c5c9aa33556bd8ac45da1dce7426c75c5d754268c450054f875927cbba800ad665f09941cde
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5f2a7edf9f39eabcb8af64dc8b6a52c1b
SHA1970696df4cdf60be2dc4747baa990fa6f8b5c140
SHA2560caf8d84979fa0f7da15b779d56dd872de32cb847b27b3d61acfe349980ab87b
SHA512430795b362da28f7b4365317ef1cbae370459e4440f4caf8768d847274c61f3d160b1d65f5ef643db867a98d6e17c9dd836465bbd7a53505eb9c59ae3dad2823
-
Filesize
1KB
MD5858abac6d808f5e84d02734384079a65
SHA1078870039a00fed4cc8fd636b749d29a9ecee007
SHA256e6b4d843c8ca10e755f3982dec0d8713f800da15a53db2a2416c011ba4868a58
SHA512e33c20afa033400e74a03a7ec08d0c45fd4188793bf0c58cc230f44ae6eaa2d43984c0ae95322fe3b850d23cd09fb4f7f894cbf8b171ca7428d1ff2ea4b573f1
-
Filesize
5KB
MD55df302f96971e242f3c75532bfd37474
SHA1d5ada4b6566ad5db80cb9d6f2c1d764f75d7ccb0
SHA256f68bd460171e6364eb9fa6a5a8a6dfac96ea4be8fbadca0af1e07bdc027a31e1
SHA512ed3dfaf4e5bcfe1bba14ed3a47c7186fbf706bcc9ce64a7d0284877906a48f5a370c8cb853359cdd6d4d04cbec4b550e6fb34e09ba4abb1a906233b5640d45ed
-
Filesize
6KB
MD56c1c9365043a6d8970853fd2aac02206
SHA1cf66890335d1e229a6d103e0ba7ed901cc027438
SHA25622b32ecfab137d13f51ac83c836a8365719dae0f36a6f7cbf0d27b800a097f5a
SHA5121e4664e4c24071165acd4b8ba33a83e572e867e1e8882b8ce8605c71bfe52d3e4902521ed36326a5ed093c3144fbbbf96276802e8174fe0fd12ec2baa78a546c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD510b4fab60f443a0c3687e6ca7008f7a8
SHA1d400c298fa559e559d023af23b78ab341370e132
SHA2562df582e639d6e6861b3d099f1e8930fbedef8bebf63a3794fb2a2118985632fc
SHA5128a57856f388444a467c0217ab74483cd4e45c39ab3da1ba0ad6c9d80c1f92205d1bc50171926318abcef85f7d04f1d13fb240778cfb72a52dab9daf38dde529e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w5uqp68f.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD58173baddb247ba57ec9f6e5bcf4881d9
SHA1a0bf72bcea0e1565eb13885c30cd5bd76f014b79
SHA2569b305933f3c6c0cf9648b7dcb8715e61c74fba15f9d1da05af895c8cf1c5223b
SHA512e959fb8a3690968fed6dabd332b1b8fd48a273ce8671e1a674db791854c9b20aabecd0a5f1b801b4db9c66cc5729dceff1e55f42b273c1a2aa4a2dafec641615
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w5uqp68f.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5a33cbb40bf604e18639a31a3c1ce3e7a
SHA1f0c1998a7fc8132abec4507c7bb3cf447ec6c20f
SHA256d192886d835c7bb75f18fb30fa6c15d9f7c8105e2c696efac3a200f9380f05f3
SHA5121273382ad7b121ae013aec8516df32e69384a87aebc19b57a1a58714ace2db5f43a3a61e2d90c29ef857f35b3acfdea17c0a37205f01657dd63e9b1275ccf1db
-
Filesize
2.4MB
MD51353eeb92749ad19736c9e3d97959c2a
SHA10bfd65e336cb0a12b150e7212877cf9b5c466500
SHA2567378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803
SHA512fb1a3757833a746e811d8ac5a7b3cd486596ba8e1a6ef47efa54f8fd0be71c2719a8d136750a8a551125504072be25ee5b798fa4f1317b5dc53864ba918e8ab7
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD5d5d3a63a0c127480a4f3c3acde73a130
SHA16386347bb05c432a70895ba02cfbaec68a9067f0
SHA25610e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7
SHA512c7bd14f45005b1ff14a5cdf6b80777f97ee901445607e09da25c1bd4123c662f72ecd122578eccaca846b455fc04510cddc9f25fed6405d915cb04ea9a239180
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
256KB
MD5b81d3ac8cc138dd48a44bb74848425cc
SHA111f29192a08c05a61f4e50bd6746876b85dd416c
SHA256fb0ab91dc6ef1c7350890ccd5ae6680e0af797868a8be0876ceb8e8063f66106
SHA5122aae584a332b66c346c4b828b1be02a2a9b30a5966a277eb64c43e3f9db8e4658d10bb00ec96cb71bfe78400ca04ac04eb7d8c2cc95f8ab11850fb5334c2b590
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w5uqp68f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w5uqp68f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w5uqp68f.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w5uqp68f.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w5uqp68f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w5uqp68f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w5uqp68f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
992KB
MD5d184f9eba511a6fd502f2289fedd73f3
SHA1e17f4b5d5dbd6696e76ecba23dc2fb764704d3c4
SHA256d5594f6a355de72c46c881234df7f56f7987e81b6692dc0c429de15602ba1f77
SHA512b6381162adb26b4713bc232c505114fffb822ca531064dfab1da9a5f98b07da354bcce4dfe5e6ebc35cd41c94dacb1148b91fe8705abcd143f19c499978cfb57
-
Filesize
6KB
MD59aa83554c42c9740caeb94c60a8ea965
SHA1c18f4665ab03715041f12b754a65515acc90f659
SHA256a8483a4369e972ce97ec6b58f6dc43f1d1a356eb4b46aa125ff796317981bfea
SHA512862be51badb9c37affd622d5a71aa2321a3936c842072eeadee67e8feabb8163103fb1f78f8bf579e028feeaa45e18976cd9d175c14c1bbfe76570e6c2f9948a
-
Filesize
9KB
MD529ffe3b9fef320689e546ab86d5701d5
SHA1c4f84491be3daafc6d6793d34fbcf5eb1e6939ef
SHA256f3108daadf38e13d603bfac40c01a2d1e44771f495cb8d54df10a29de713b613
SHA51283620d4213ddfb1836daa0810e2db34ab5fba6307284173f6dc24a9d5d1a10cd095879e0a096f6e3d87bac7d2e590ecd92fedfc6814c83c1cb4aa15a6c442d5b
-
Filesize
6KB
MD55f4107421a8d7d996d685ca861e0fbb1
SHA18e482efa0f3abb6b0cc7b4beb73ee3636e97b96f
SHA2564d687f0c90e9f362311ffa3b6d1e5e5b1ec81fc25e64be12b7dab4feb7e3834b
SHA5125d6e23449c0e117f111ecea68e757c0df4e15715868d46476f7a2472721602da84a2ec6e5fe389d72f0e2a54067a0bf2e35d3f32ef3746068e28a7d6881405a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w5uqp68f.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5cffc98278a3d686452d9455fb502d810
SHA16bd42f297ffde344842d82c9cd93a9973ac9e261
SHA2566f3639e0b9913a3163987c3ca8eb91aadc193ba8ddb05be0a83e3b2a132d1067
SHA512905c7356916d39078c6fe1d3011f4d43fe0b3f21b0a4c4766a2088b51d70a4318e083b3b69df7427da421d1e0c9a524fc21ca69463705209d5b24ecc8e687d9e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e