Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-07-2024 03:02
Static task
static1
Behavioral task
behavioral1
Sample
e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe
Resource
win10v2004-20240704-en
General
-
Target
e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe
-
Size
1.8MB
-
MD5
3c2244f8cfcff51f66b7d71bff61dc5e
-
SHA1
3c2e5dcabe6837b8ef81e6f94a50af55ff48f6b7
-
SHA256
e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d
-
SHA512
9888adb1d37ebd2ce671bb63337faf6150558bba4b0c1f88cbd59f272ab9cfa386f6ff03b622d79c3a0b52e343aec03e96c966a556ab270994b07fa7e4580bfc
-
SSDEEP
49152:065/G397aZdcyLy/OttBplDq2pq5Xk0PlE71dr1DyV3ouU6ZE5g:X+97aZdcyLTBpQ20jq79yUb
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
explorti.exeIEGCBAAFHD.exeKKEHDBAEGI.exeexplorti.exeexplorti.exee69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IEGCBAAFHD.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KKEHDBAEGI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeKKEHDBAEGI.exeIEGCBAAFHD.exeexplorti.exee69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KKEHDBAEGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KKEHDBAEGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IEGCBAAFHD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IEGCBAAFHD.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exed3ce002778.exeIEGCBAAFHD.exeKKEHDBAEGI.exeexplorti.exeexplorti.exepid process 4888 explorti.exe 4492 d3ce002778.exe 5788 IEGCBAAFHD.exe 3652 KKEHDBAEGI.exe 7104 explorti.exe 6704 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
KKEHDBAEGI.exeexplorti.exeexplorti.exee69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exeexplorti.exeIEGCBAAFHD.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2608496357-2693146533-2740208290-1000\Software\Wine KKEHDBAEGI.exe Key opened \REGISTRY\USER\S-1-5-21-2608496357-2693146533-2740208290-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2608496357-2693146533-2740208290-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2608496357-2693146533-2740208290-1000\Software\Wine e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe Key opened \REGISTRY\USER\S-1-5-21-2608496357-2693146533-2740208290-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2608496357-2693146533-2740208290-1000\Software\Wine IEGCBAAFHD.exe -
Loads dropped DLL 2 IoCs
Processes:
d3ce002778.exepid process 4492 d3ce002778.exe 4492 d3ce002778.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exeexplorti.exed3ce002778.exeIEGCBAAFHD.exeKKEHDBAEGI.exeexplorti.exeexplorti.exepid process 2804 e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe 4888 explorti.exe 4492 d3ce002778.exe 4492 d3ce002778.exe 5788 IEGCBAAFHD.exe 3652 KKEHDBAEGI.exe 7104 explorti.exe 6704 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exedescription ioc process File created C:\Windows\Tasks\explorti.job e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d3ce002778.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d3ce002778.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d3ce002778.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2608496357-2693146533-2740208290-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exeexplorti.exemsedge.exed3ce002778.exemsedge.exechrome.exeIEGCBAAFHD.exeKKEHDBAEGI.exemsedge.exeidentity_helper.exeexplorti.exeexplorti.exemsedge.exechrome.exepid process 2804 e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe 2804 e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe 4888 explorti.exe 4888 explorti.exe 3640 msedge.exe 3640 msedge.exe 4492 d3ce002778.exe 4492 d3ce002778.exe 456 msedge.exe 456 msedge.exe 2660 chrome.exe 2660 chrome.exe 4492 d3ce002778.exe 4492 d3ce002778.exe 5788 IEGCBAAFHD.exe 5788 IEGCBAAFHD.exe 3652 KKEHDBAEGI.exe 3652 KKEHDBAEGI.exe 4712 msedge.exe 4712 msedge.exe 5840 identity_helper.exe 5840 identity_helper.exe 7104 explorti.exe 7104 explorti.exe 6704 explorti.exe 6704 explorti.exe 6880 msedge.exe 6880 msedge.exe 6880 msedge.exe 6880 msedge.exe 6336 chrome.exe 6336 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exechrome.exepid process 456 msedge.exe 456 msedge.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exedescription pid process Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeDebugPrivilege 3616 firefox.exe Token: SeDebugPrivilege 3616 firefox.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe Token: SeShutdownPrivilege 2660 chrome.exe Token: SeCreatePagefilePrivilege 2660 chrome.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exemsedge.exechrome.exefirefox.exepid process 2804 e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 3616 firefox.exe 3616 firefox.exe 3616 firefox.exe 3616 firefox.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
msedge.exechrome.exefirefox.exepid process 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 2660 chrome.exe 3616 firefox.exe 3616 firefox.exe 3616 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d3ce002778.exefirefox.exepid process 4492 d3ce002778.exe 3616 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exeexplorti.execmd.exechrome.exefirefox.exemsedge.exefirefox.exedescription pid process target process PID 2804 wrote to memory of 4888 2804 e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe explorti.exe PID 2804 wrote to memory of 4888 2804 e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe explorti.exe PID 2804 wrote to memory of 4888 2804 e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe explorti.exe PID 4888 wrote to memory of 4492 4888 explorti.exe d3ce002778.exe PID 4888 wrote to memory of 4492 4888 explorti.exe d3ce002778.exe PID 4888 wrote to memory of 4492 4888 explorti.exe d3ce002778.exe PID 4888 wrote to memory of 3284 4888 explorti.exe cmd.exe PID 4888 wrote to memory of 3284 4888 explorti.exe cmd.exe PID 4888 wrote to memory of 3284 4888 explorti.exe cmd.exe PID 3284 wrote to memory of 2660 3284 cmd.exe chrome.exe PID 3284 wrote to memory of 2660 3284 cmd.exe chrome.exe PID 3284 wrote to memory of 456 3284 cmd.exe msedge.exe PID 3284 wrote to memory of 456 3284 cmd.exe msedge.exe PID 3284 wrote to memory of 3088 3284 cmd.exe firefox.exe PID 3284 wrote to memory of 3088 3284 cmd.exe firefox.exe PID 2660 wrote to memory of 2656 2660 chrome.exe chrome.exe PID 2660 wrote to memory of 2656 2660 chrome.exe chrome.exe PID 3088 wrote to memory of 3616 3088 firefox.exe firefox.exe PID 3088 wrote to memory of 3616 3088 firefox.exe firefox.exe PID 3088 wrote to memory of 3616 3088 firefox.exe firefox.exe PID 3088 wrote to memory of 3616 3088 firefox.exe firefox.exe PID 3088 wrote to memory of 3616 3088 firefox.exe firefox.exe PID 3088 wrote to memory of 3616 3088 firefox.exe firefox.exe PID 3088 wrote to memory of 3616 3088 firefox.exe firefox.exe PID 3088 wrote to memory of 3616 3088 firefox.exe firefox.exe PID 3088 wrote to memory of 3616 3088 firefox.exe firefox.exe PID 3088 wrote to memory of 3616 3088 firefox.exe firefox.exe PID 3088 wrote to memory of 3616 3088 firefox.exe firefox.exe PID 456 wrote to memory of 4576 456 msedge.exe msedge.exe PID 456 wrote to memory of 4576 456 msedge.exe msedge.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe PID 3616 wrote to memory of 2324 3616 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe"C:\Users\Admin\AppData\Local\Temp\e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\1000006001\d3ce002778.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\d3ce002778.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IEGCBAAFHD.exe"4⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\IEGCBAAFHD.exe"C:\Users\Admin\AppData\Local\Temp\IEGCBAAFHD.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5788
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKEHDBAEGI.exe"4⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\KKEHDBAEGI.exe"C:\Users\Admin\AppData\Local\Temp\KKEHDBAEGI.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3652
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\cf1e4e7d45.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff94b20ab58,0x7ff94b20ab68,0x7ff94b20ab785⤵PID:2656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1952,i,13388177197637894719,7887967041239673842,131072 /prefetch:25⤵PID:3404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1952,i,13388177197637894719,7887967041239673842,131072 /prefetch:85⤵PID:1268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1952,i,13388177197637894719,7887967041239673842,131072 /prefetch:85⤵PID:428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1952,i,13388177197637894719,7887967041239673842,131072 /prefetch:15⤵PID:800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1952,i,13388177197637894719,7887967041239673842,131072 /prefetch:15⤵PID:4148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4148 --field-trial-handle=1952,i,13388177197637894719,7887967041239673842,131072 /prefetch:15⤵PID:5596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1916 --field-trial-handle=1952,i,13388177197637894719,7887967041239673842,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:6336
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff94ac03cb8,0x7ff94ac03cc8,0x7ff94ac03cd85⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:25⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:85⤵PID:2948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:15⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:15⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:15⤵PID:5712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:15⤵PID:5808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:15⤵PID:2424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:15⤵PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:15⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1620,7912644964604388516,14285979116560123475,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6032 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:6880
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"4⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.0.527792183\966160392" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef460275-aa7e-444d-8f88-9ed774231bfc} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 1848 27dc020fb58 gpu6⤵PID:2324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.1.5566242\1442962583" -parentBuildID 20230214051806 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa787f3a-699f-425e-b090-cccf90a345e7} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 2440 27db3389c58 socket6⤵PID:5008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.2.871409329\1842047293" -childID 1 -isForBrowser -prefsHandle 2752 -prefMapHandle 3016 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42fc1d55-b167-42db-a9d2-73a9b509f08a} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 3068 27dc2d94858 tab6⤵PID:3920
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.3.771223651\2114185985" -childID 2 -isForBrowser -prefsHandle 2736 -prefMapHandle 3120 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b71f3fd-dd72-4f5e-b2e6-d080433a1f29} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 2776 27dc612ff58 tab6⤵PID:4144
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.4.818342686\300930319" -childID 3 -isForBrowser -prefsHandle 4396 -prefMapHandle 5240 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {745b3433-6cb0-4427-bd49-41bee6436c04} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5252 27dc784ff58 tab6⤵PID:5224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.5.2049683660\324982787" -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5468 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e51b675-5fd4-4a4f-afa8-5cf5a8385609} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5480 27dc830c858 tab6⤵PID:2348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3616.6.1013541165\171030763" -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {787c207a-da4c-437e-8239-812dbd4270f8} 3616 "\\.\pipe\gecko-crash-server-pipe.3616" 5676 27dc830a758 tab6⤵PID:5520
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2088
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2304
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7104
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD5aee67a2df0718a30792263ea1d863298
SHA1feec8589d7df8513af0b06e3711394e41a33bf8e
SHA25657ad0329a5178f400c0fd12477ad9a9cb30c9fccd48a8d167d986441feff230c
SHA51255a7a1cd947298e769e6eb2e6d622d517f35e74c1544d8a7bb54346bc9a523e97e6503b084212548840a87af3a6970a55f017da983d098dd1fa2c8bb1b959c30
-
Filesize
2KB
MD56aa392edd6dbedfe5ba6ee8aa2afb611
SHA1f27c2254ace235e9a896ed238bb54adae06887fc
SHA2566d000e6b89a5f183b61fc607a8bd6c65ef4d0cfb820aedbba07145acdcc41fbc
SHA51243310c787ed212dff2f03098617663ade7f451ff46794c98b0c50ed5d5ca9b509aca9a4e8d0c98ba046f83e9b372ecdffbe80c0a7650ed426983758c1ed037d3
-
Filesize
2KB
MD58488adcc61e650002b8cdd14f23e21a8
SHA193cdf2f1636c1276e67769afff57c29c75a2faf7
SHA25653e5f1a6c7d09b882f801f39911a8926ddaf193c9bba4366f7df1b7b43fc728f
SHA51218d7bdd6cbea3183f1b69ef3db2e641c2dc4eb6179a3805f824a48bbe607e04d6d7eca97d148dc9a87deceae1aec0296299063e8bd7b4f3b9d2e01c1d8d2eb12
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
522B
MD513b8d7ccf457a03d506d48c24774c268
SHA1756e190840cdee6d75c5eea94a70468a44c37d46
SHA25654b078bf0cf406637088729787b98a6b94a85431496d0998401b84d21b7963bf
SHA512cebc13f55a8c8cffaf913e22c1d50d325d4e137b289cd9dc479fcdbdfd78accc305f83a6e33574e6e28a19ce71ebffad65eac10fad5dc7023c000f3982154c64
-
Filesize
7KB
MD574e41ca8daedd4ae8aab1d8ad8737ac7
SHA110119b7d00be999610b75f0e2ea7142adb9a6042
SHA25670d53778f2230c25c4631cf4c8adb26fb8bfc7ca986d56d1382b98f0d1c041cf
SHA5125187bf8d5b669f9d5659c6f9b5e8231b393a5c6f35abdb2df6d185a0ae5f2e6b6f16780c1f5916a200d7dd88e35e73b034fa486d66989f965b964b28f4e924fe
-
Filesize
144KB
MD58e0b795828b71da44c59255a19d8a803
SHA132a780648d3925833ca2cc96ab86296fc9542a90
SHA2563a1cddb05a805fbb914c817db6833951f6a1e2f528207d5bc0b8c028d106442d
SHA512e0cccbd79f55437b8119bffbc748b8d49276422ec9e70aeddce7c5f4fdf100d40fad8c2eb26379e28dbc18751ef980d7f45abde543ac97a19f9485c186851c8b
-
Filesize
152B
MD5dd3589b97978441d244d4e821fd239da
SHA163286c2b1fc75939d6ad4e1176901b5c7dc58143
SHA2566ddace977f58c209176969a77634f8a7cdcaf6f1a550cdbc056674b2b538a5f9
SHA5126a6a16c168445ee2511c363b31faae8bdd851259ccbdcdd8e93584dc076e1bd688891e5804479a1313019428387207b7a2ba23fe854c53ac86467c730c25b4c2
-
Filesize
152B
MD5be6d8a5227798b38c33128c43f9febf0
SHA1b5db7c6a1593f45c75ebb6a81e57628d11fcb892
SHA2567eaf875fc88b9d5125a56f088e3f676d1762503427fb6b94dbe0eaef71c23234
SHA512e34ec91b098f08c06754d1e873acfa7773e696dcd2f7be1b2cfe83962944cdbc59703511341d95ed8e5e0aea8f28c9d7b7b497cec719e7a771e6b5e5f6c28368
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD5ca34160ed1223a11a9c1a9d22198ee4e
SHA14fc6e0eda4fee96f26ea430c20ac7a09875c068f
SHA256695b789fe13fff756a39d451626b17b37a63a2ae638026616e82c175b5453e14
SHA51203af6034126c3602a25b9ff0945a9178eecaf8c897d8f3820163e31e95c09684567e5a51cf15673628344f1afd33f21fb21d7e14ae8fef3a79ef7f5253a9651f
-
Filesize
1KB
MD5c8f7ea9e16559f9485a0e8e78103d5ac
SHA1bc52a075d6941243574d9635a6b941c13d9bc878
SHA256afb92994f46b00fe53fce7254cb00518c756ce6005e58cd0ea27c9de64cb75a9
SHA512b6d76b6340d24c618089a2d1888fa80b27c113429d232f6e30d571643e7fe403db6cc4355887172a44c0ae2a04b7309fab7ea253755a489acaea2e7fc9f67418
-
Filesize
5KB
MD525d52c978c2583f67eba89d979daf316
SHA1a5b8380c052738faaee969230c124248d95bd281
SHA2561355197bf1fa2c05bc230383b92293c8a5306fb0e2fa0890d043ad953cf8482e
SHA512053bbde472f898651fd129df0f233789d93e594bb79be0aeb52b91a8dffb78bc89350746b57ecd2ef9f6a68aa9014e2d4f0f6ad44bc1a50a804944cc3bdc165b
-
Filesize
6KB
MD50d9901e150ee326c9451690cb88e1e6e
SHA17173eb711ce2445e8aefdd6ce8e1240ad0b7606a
SHA256553b8bd0853f8306b929f66142b0da8dee6b79d13c3a148ccb1264dff871eedc
SHA5122ab80e06cf253842f78ccb35404bde7fcf2829c94aead56070c604546c11a37711f26f2b501ccb8a3e60eb474a885534bdb88c98169dc44f2358aa99646bf464
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e7e2a17fb95cf4b8c9631698df59d7d6
SHA17bdb65274bbfb2f78bd9914c7fdd4de843c8a95d
SHA256d6af12fab91dcd58641e9f582c10e9b6666c3f9f95c91effc5e8787cf0a3fbea
SHA51215537c15cb185af846255a4d7fd4fb4f53ead53badd02457de89eda0f018d689c881896872de041f1360cf6553d3b3862951b57ea9c8b8fcc5634f7c2439e222
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1i7klk71.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD51dd93e50e26e4f4edbc6023d4bba2841
SHA13f3a2eec16e1ab54caf4c4ce8aee218f42f2d4fb
SHA256f94bfe7e0b7148f3fbfe6a52581872ea062181f67a8c8779571c52340329690a
SHA512201a5a14b4b8a8dc6b16219cd449a4736129cd92b92bb746716629d46714f40bfcb7a0ed1eb90cf8beaa90a102a6a8393abd4f0c4abe1ab573dc3b91fe454d36
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1i7klk71.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD51195bc7c5510a6366e5be238d5025dd0
SHA10feaa75327aae6374b1c04dfa7d1c3709a3d1f4e
SHA25613ae0e1b1221cd3bf20917b103ad1b78bd9f08275d7b2295690a97db3de0e12a
SHA51251d20271370d270eb08769e734d5fb0d272f535abbf5fca5a311857f81ab76a5ffbf8d0e217077ed2319fb7ffdaca176989b8ef32e51872ca0916feaae4a76b7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1i7klk71.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize9KB
MD559d60189726e5c5f464ad051217708fc
SHA1d60e545af8082eee4a4098df949d3a4c6ca8f4db
SHA2562a8eabd9afde8c96b40f3e8448d72e66592e84767062bc9adf2e1b7cbec936cf
SHA512aebe1c314dcdeaad5c1ebd9003d3d85af3b331440a1815dbe50c59b3809e01e44ffd1956923b11a01d4db624bb3c85110297b216cb3f67260e94671788a62308
-
Filesize
2.4MB
MD5d342b0b1abfb52f8238f15947684c901
SHA1822148d3b2b2663c25b865a1f98516095c5e01b0
SHA256c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404
SHA512e6558c4cc35d8b1784602695a7febec0aef5c9b6fba90fe4a90a8da27592678da6f61655770f35fc425c3de1d970576117982cffb12a9f9d1942daf7b32e4f75
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD53c2244f8cfcff51f66b7d71bff61dc5e
SHA13c2e5dcabe6837b8ef81e6f94a50af55ff48f6b7
SHA256e69a0d641673bcf943f7a9162b8b594bf731bafea11d5cddd270e25854097c4d
SHA5129888adb1d37ebd2ce671bb63337faf6150558bba4b0c1f88cbd59f272ab9cfa386f6ff03b622d79c3a0b52e343aec03e96c966a556ab270994b07fa7e4580bfc
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
256KB
MD5015aabf89c2bfe4aaa65ba0297318906
SHA1a79f6e303c6cb52be29dce9bb0a3c481648db984
SHA25604fff0e0c31a26b528f3794de04a1a1d4270c19d94af5376da44a2692599ab62
SHA512994fa44f8ad7dcaece35b6f012cde12dfd6ecc7c398af805e1e3f30961e60ddfa426249f41a9970f02d30f673c544a7f7a0a58f72bc9fd6814d983d4533d2085
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1i7klk71.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1i7klk71.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1i7klk71.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1i7klk71.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1i7klk71.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1i7klk71.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1i7klk71.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
992KB
MD5f5cd06b8d490c16c775347fa5d6365c2
SHA119d9b536fe2b2b10e593270d54d5b7b4c224b351
SHA2568ae199cbc7f2cb518dc7cb80c715925f1c65b523a5f9768590ed0fcde20af914
SHA512cd765839f07c2ae434d2634ee15cf5acb65dabbe63d325fbccde725bd0c8437b1bfee3b1e08248427c02863460398f01d8090ce3c589a6bdcdea88af48769cd4
-
Filesize
6KB
MD5682afdcd2d7b598643e19019a226f97c
SHA1e3f147bf33bdbf34a4be6b699a201bb401900c6c
SHA25650c492af8ab25069574d75e991c78d08459f4f5af2f6573143f8c80e7d619aad
SHA5125d5e57fd716ccdc2758aaadb67d5718d17acfe85d3122a082ee17d5b84fbd1ba185f99aff37fed38015be840287f46248f619efc8f9f0a311cf4c16da19e3709
-
Filesize
8KB
MD59ed5da963e8e8c0ecc128569a383df89
SHA1016cb56714a8712910ed81776ef5bdb3bcc0de5b
SHA2567cef60329d9d737ce68ef9f060536eebdab7995483849c98a9f92dda402baad1
SHA5125d2ea849e66b70ae0828f7b5c362077f650985faf32a18689e8adbebacaf30c61dcd507e6b56d3bb246275eabd10a67468aaa1dcc0c5fb24f6eac76102985f18
-
Filesize
6KB
MD54f67d716d07297c897ef5061e03b17f7
SHA1ea7900e1047bc3b4da0ba7eae1c51f77c8ddea8e
SHA256c9c670a05195a815ff766662b865227bd158d2616460a4df634194f501f2a137
SHA512780a70b94e871eb62e08ab320c85c2f1643e938d43ada09c1ad538835a7f91eccd1dd094e1e2fd2e2dcc5b8f946dc0473d39691ac0f42760c4a37b96d28e7319
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1i7klk71.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD56bcf1624810792af1c1b55e6c4449446
SHA1bed7e5a097f28af5f07cb46a54de53a52f4347bb
SHA25636e7e7aaffac41482c9b64d2a1b16deb22971436fb6cc28016a4f095f2aebd49
SHA5120e7e58673c3aaf6230b1f2eb03fc59d7716d000b2a8b42526193a56f5de9a6d967fef3b9eef5970b74b7c2d2ce50b4dcfd20c6ab9722a7718f9067338688b1fe
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e