Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-07-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe
Resource
win10v2004-20240704-en
General
-
Target
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe
-
Size
1.8MB
-
MD5
8daf94b97ec9ab1d0cf61f9ef429808a
-
SHA1
4e1a9a1813908a0c794eafb71779fb60b8418836
-
SHA256
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437
-
SHA512
87447bd5188c56e67f98d0e6299bd3e4b486d8632f227b72bca9865985ac6a485253474eec0d9ff5fc15f142b4244059d0b79fc608373a104eb78490a0cdac48
-
SSDEEP
49152:uHqhQXkeV1qTH+XymZrQDoh/y5qYtRdm8E/V:PhQXZcb+4e/yEsRZ
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.exeIDAKJKEHDB.exeFCGCGDHJEG.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IDAKJKEHDB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FCGCGDHJEG.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
IDAKJKEHDB.exeFCGCGDHJEG.exeexplorti.exeexplorti.exe2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IDAKJKEHDB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FCGCGDHJEG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IDAKJKEHDB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FCGCGDHJEG.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe78373aece0.exeIDAKJKEHDB.exeFCGCGDHJEG.exeexplorti.exeexplorti.exepid process 2876 explorti.exe 1712 78373aece0.exe 6748 IDAKJKEHDB.exe 6828 FCGCGDHJEG.exe 7140 explorti.exe 6840 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.exeIDAKJKEHDB.exeFCGCGDHJEG.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000\Software\Wine 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe Key opened \REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000\Software\Wine IDAKJKEHDB.exe Key opened \REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000\Software\Wine FCGCGDHJEG.exe Key opened \REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
78373aece0.exepid process 1712 78373aece0.exe 1712 78373aece0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.exe78373aece0.exeIDAKJKEHDB.exeFCGCGDHJEG.exeexplorti.exeexplorti.exepid process 2476 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe 2876 explorti.exe 1712 78373aece0.exe 1712 78373aece0.exe 1712 78373aece0.exe 6748 IDAKJKEHDB.exe 6828 FCGCGDHJEG.exe 7140 explorti.exe 6840 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exedescription ioc process File created C:\Windows\Tasks\explorti.job 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exe78373aece0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 78373aece0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 78373aece0.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.exe78373aece0.exemsedge.exechrome.exemsedge.exeidentity_helper.exeIDAKJKEHDB.exeFCGCGDHJEG.exemsedge.exeexplorti.exeexplorti.exemsedge.exechrome.exepid process 2476 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe 2476 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe 2876 explorti.exe 2876 explorti.exe 1712 78373aece0.exe 1712 78373aece0.exe 4920 msedge.exe 4920 msedge.exe 3980 chrome.exe 3980 chrome.exe 3032 msedge.exe 3032 msedge.exe 1712 78373aece0.exe 1712 78373aece0.exe 6480 identity_helper.exe 6480 identity_helper.exe 6748 IDAKJKEHDB.exe 6748 IDAKJKEHDB.exe 6828 FCGCGDHJEG.exe 6828 FCGCGDHJEG.exe 3224 msedge.exe 3224 msedge.exe 7140 explorti.exe 7140 explorti.exe 6840 explorti.exe 6840 explorti.exe 6992 msedge.exe 6992 msedge.exe 6992 msedge.exe 6992 msedge.exe 7060 chrome.exe 7060 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
chrome.exemsedge.exepid process 3980 chrome.exe 3980 chrome.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3980 chrome.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exechrome.exedescription pid process Token: SeDebugPrivilege 3556 firefox.exe Token: SeDebugPrivilege 3556 firefox.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe Token: SeShutdownPrivilege 3980 chrome.exe Token: SeCreatePagefilePrivilege 3980 chrome.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
Processes:
chrome.exemsedge.exefirefox.exepid process 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3556 firefox.exe 3556 firefox.exe 3556 firefox.exe 3556 firefox.exe 3980 chrome.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
chrome.exemsedge.exefirefox.exepid process 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3980 chrome.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3556 firefox.exe 3556 firefox.exe 3556 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
78373aece0.exefirefox.exepid process 1712 78373aece0.exe 3556 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.execmd.exechrome.exefirefox.exemsedge.exefirefox.exedescription pid process target process PID 2476 wrote to memory of 2876 2476 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe explorti.exe PID 2476 wrote to memory of 2876 2476 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe explorti.exe PID 2476 wrote to memory of 2876 2476 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe explorti.exe PID 2876 wrote to memory of 1712 2876 explorti.exe 78373aece0.exe PID 2876 wrote to memory of 1712 2876 explorti.exe 78373aece0.exe PID 2876 wrote to memory of 1712 2876 explorti.exe 78373aece0.exe PID 2876 wrote to memory of 4412 2876 explorti.exe cmd.exe PID 2876 wrote to memory of 4412 2876 explorti.exe cmd.exe PID 2876 wrote to memory of 4412 2876 explorti.exe cmd.exe PID 4412 wrote to memory of 3980 4412 cmd.exe chrome.exe PID 4412 wrote to memory of 3980 4412 cmd.exe chrome.exe PID 4412 wrote to memory of 3032 4412 cmd.exe msedge.exe PID 4412 wrote to memory of 3032 4412 cmd.exe msedge.exe PID 4412 wrote to memory of 3264 4412 cmd.exe firefox.exe PID 4412 wrote to memory of 3264 4412 cmd.exe firefox.exe PID 3980 wrote to memory of 3228 3980 chrome.exe chrome.exe PID 3980 wrote to memory of 3228 3980 chrome.exe chrome.exe PID 3264 wrote to memory of 3556 3264 firefox.exe firefox.exe PID 3264 wrote to memory of 3556 3264 firefox.exe firefox.exe PID 3264 wrote to memory of 3556 3264 firefox.exe firefox.exe PID 3264 wrote to memory of 3556 3264 firefox.exe firefox.exe PID 3264 wrote to memory of 3556 3264 firefox.exe firefox.exe PID 3264 wrote to memory of 3556 3264 firefox.exe firefox.exe PID 3264 wrote to memory of 3556 3264 firefox.exe firefox.exe PID 3264 wrote to memory of 3556 3264 firefox.exe firefox.exe PID 3264 wrote to memory of 3556 3264 firefox.exe firefox.exe PID 3264 wrote to memory of 3556 3264 firefox.exe firefox.exe PID 3264 wrote to memory of 3556 3264 firefox.exe firefox.exe PID 3032 wrote to memory of 348 3032 msedge.exe msedge.exe PID 3032 wrote to memory of 348 3032 msedge.exe msedge.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe PID 3556 wrote to memory of 3900 3556 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe"C:\Users\Admin\AppData\Local\Temp\2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\1000006001\78373aece0.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\78373aece0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDAKJKEHDB.exe"4⤵PID:6648
-
C:\Users\Admin\AppData\Local\Temp\IDAKJKEHDB.exe"C:\Users\Admin\AppData\Local\Temp\IDAKJKEHDB.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6748
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCGCGDHJEG.exe"4⤵PID:6740
-
C:\Users\Admin\AppData\Local\Temp\FCGCGDHJEG.exe"C:\Users\Admin\AppData\Local\Temp\FCGCGDHJEG.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6828
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\a946bae8fa.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0x84,0x118,0x7ff83498ab58,0x7ff83498ab68,0x7ff83498ab785⤵PID:3228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=2328,i,2199579226663915343,15488510068085636221,131072 /prefetch:25⤵PID:4180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2328,i,2199579226663915343,15488510068085636221,131072 /prefetch:85⤵PID:1440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1900 --field-trial-handle=2328,i,2199579226663915343,15488510068085636221,131072 /prefetch:85⤵PID:1412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=2328,i,2199579226663915343,15488510068085636221,131072 /prefetch:15⤵PID:696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=2328,i,2199579226663915343,15488510068085636221,131072 /prefetch:15⤵PID:3776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4052 --field-trial-handle=2328,i,2199579226663915343,15488510068085636221,131072 /prefetch:15⤵PID:5788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3960 --field-trial-handle=2328,i,2199579226663915343,15488510068085636221,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:7060
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff82d213cb8,0x7ff82d213cc8,0x7ff82d213cd85⤵PID:348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:25⤵PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:85⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:15⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:15⤵PID:3580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:15⤵PID:1400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:15⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:15⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:15⤵PID:6292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:15⤵PID:6300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,588872689435923193,3593534706213107383,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5620 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:6992
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"4⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.0.1124890138\1227146181" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {423e9430-6492-4bba-8346-19415e67b6be} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 1860 228d0d0c558 gpu6⤵PID:3900
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.1.69674284\2126213883" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddaa228b-756c-4bff-a6f6-a50f9495b031} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 2436 228c3f87558 socket6⤵PID:2904
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.2.2043437312\562031320" -childID 1 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1036 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bb59ac9-5b59-4b72-8f22-418b68701eb6} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 3492 228d3895258 tab6⤵PID:2248
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.3.1689416761\1888601120" -childID 2 -isForBrowser -prefsHandle 3404 -prefMapHandle 3420 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1036 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a987882-ed64-4d8e-82b8-b3904ad0aa32} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 3208 228d57ce458 tab6⤵PID:5260
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.4.1107744767\731558254" -childID 3 -isForBrowser -prefsHandle 5164 -prefMapHandle 5100 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1036 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be075a47-f53e-4e71-ba5a-d13ea3dbe6a2} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 5140 228c3f7dd58 tab6⤵PID:5588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.5.572263598\2095941108" -childID 4 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1036 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c153452-70cd-4247-9726-39c55885882c} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 5304 228d6e5f558 tab6⤵PID:1152
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3556.6.43784931\181234597" -childID 5 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1036 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39023bba-a4ae-416f-a02a-97eab8e15c7c} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" 5500 228d70f7258 tab6⤵PID:5668
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5324
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5596
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7140
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD515e41c15256b9ca625a4d54306228979
SHA160dc8ddf4a27d2bb6aa426a3b93de2218150ad61
SHA2566a74beca76a6a2136158e9dff6c0e7f9ff4fbf74224bcd56bc94bd2bdbaa6686
SHA512cc93dcae413e82514ad9b4281a52dde8a0b6135038a7b3c78628cc225c2047c15efd3e1f27ca56f6d051125ca0dddf66c95f3066a499a66bc97080e7488331e0
-
Filesize
2KB
MD5c47d4f0559e741d9e857db95fef0d2a5
SHA17ef5d5d55eb7f31549294411047ff1c3ff42d968
SHA2563a427c5a8bff05571cc76f893a971761c43b788d2bb8490b7ec8ef455a2f8cb5
SHA512ebf53fb1f2947cde7be75a91322a70914def854a6a5059d881c771ede3c5a45084d7c06a7662e194420b00da279aaa0d83d4ac42f93bb7049c1896bce25c3fce
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
522B
MD5e2286a2095e281390a8145698b063710
SHA1ca987882214718639eed9141b1b09059a810bbae
SHA2565c1d94ae0fd58a7c944a971ff5b7121c4671f11086f7c846225691af0ecae71e
SHA5123335f303d34d6e78d825ab8745e620a3f8f2af79f8b570fa0a6a992a253be07ae0d3f3df7a052f0ab8eb55048caf99d7e6ce129a94cb6bb887ce33a13f5fb122
-
Filesize
7KB
MD5afe9015aa6b4bbd1fcbc1366af0c3bca
SHA103b686fc51770e755ac8b9eb20cf53d90e820eff
SHA2560673ea56721daf46359caf9c0056a32ccd1095ced4dcd518aaa2ce98b23ea89e
SHA512ca51461a316d1ef8dc3db83205c5994ef40768a332c59d63f0bf85f03074acb8c366855d9a00b24e24eed1dc772b0ef6023be893aaa8a51fc2a3c7e0cc3533b8
-
Filesize
144KB
MD5c431ab7e6030d01f7584a3d5d58be19e
SHA10a08ccb7ff4304b250b97ac656df55d1ce3476a4
SHA2569587ff0864b11e3cd6578d5cf69f78d4e1bf7d4c898328af5437635467d6e217
SHA512d6212d9764409e18766d8b0c6927f7e8a2eb32c1e5f6cca7f9c9af7d0f92b97c5e0152bf7e266c86491c9efc52fcc7845eaf97195fb540565f2628fb25ac1fef
-
Filesize
152B
MD54f9e5616c068d89c288975cccf486ba9
SHA1049ff88576a2a7c47740819b750a2f8edfa0d0b7
SHA256680a4ebe591a39c80dc406530a6e51aa0bdee8ab91b8d326f90616435b595e26
SHA51298147f31a4d6372e73970295464c8943709632e78b15f581436f30d63f9cbdcbaaf9c80e2cce366f95709f52c7bb2283770de686dac7d1c0b7e2cb704b7a0383
-
Filesize
152B
MD54af3ab7cb0460a8ca1bc42c663f441ea
SHA147603056b2829b869fbab04884da29544077fc3e
SHA256e4c2390de67f4be3f7a84f4ef879a25c15c68c62a226ab9c9007c03597184369
SHA5129c4cb6eee3f90f4cf46c0544d371cbe3b93a092f0057963e54bdbc6c6e584564aa4e3e8cc0085360ac7661a18c929c37cdabaa35035d925fc23446dba609323a
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD5df4ab3de89c5b4f6445629adc79fff95
SHA18e7d91edf582fd63834d97e94426a0a3cf2dde9a
SHA256e704a047716fca1c1327d35bd3b835e98d20876f1dc299c81e365a446835b310
SHA5129954636a36b2465ce7b9fd6db14d4af193a990d8ff72310e2386ae2d5a7e66a5d686ea1ca5159a105249a61a7de543c4a54d4d28d05739f4a1c8b4ed06ce5d88
-
Filesize
1KB
MD550882fd94cffec9341d356ddb7f45f27
SHA116f01579ea75b6eeb6c5250c8067452a649e66ef
SHA256221c7e6f3db63e8116e457020c326e3084a89b864b1d5a9006c93d0718dd018f
SHA5126949fcc884f34eef7e180d21e19a02a57ae489653650db3c04eaf3dc4cc16cef7fd52d281f0ea1671b7af17d3f356f5a6b4f4f18e17b3a66ccf9ebffb62f89b4
-
Filesize
5KB
MD568ed434310a6955a04f8217713af0d8b
SHA1444f49c4cf82699f3abb2a50d6a068b6c291a8a7
SHA25607f2850a66b4855feda784321468de7319d95a847941db5bb9c7ff6303e1d992
SHA5124bcb41ed53117c38068d0dfdaeb235518a939a8993ca7f3e106b4c85f6a30ea428d8341bc0cb666db99aa68bc2c058fae172de64417d024f23d69a19b5f49675
-
Filesize
6KB
MD5988115b5c33b33df01629af4d608d3f0
SHA11028a1b5194ea7f2d2f00c9ed1ffdf2172906496
SHA2563d33aedb885129e1b962ebc3c7d88e0658b298e36382472b4b4b24544e12972f
SHA51223f1ff349cd05fd0d16c049ee6823085cf6be50b24141490a507415326684d50252672a689515ab1f8009a3c4a67745b3a6cc0a0a6c4476799c6f5256f5d8344
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a87f2f4c62a7ec657bd3748f647eafc5
SHA11a6a4b37c75ed1d0e2990dda7eedf6ece4427e2a
SHA256fc10ee1d9967333930e44c7510332ade6bd83fa859320674c60d47fdbd8f81f1
SHA512b8b11ce701c22f623c740d9d248981f408e7457ecf9cade8df3d6fe0f3d150437dc85c538a7d147d92a21b3b708f341b384bd17b12e6f9d448a03ec0b65bc746
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rz0s9619.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD5816ae2fb31dd2bd28b074ff8c0102025
SHA151c5c619d3c68919ade11803f94ace88d2a9cfba
SHA2569e0c30b7369007efa592c95989bc1ec876b9668a3fa413e8952d08e70776085e
SHA5126e4722395904c4a1512a1ea96e3b7b73c7a2993d9274d05e3ac1c6345db116a533b8928f3b033431c7724533d5337ae6d5a8354de6bc6d24e020913991ca6b91
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rz0s9619.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD56e5d8a4fc1394142a5f4066b07b10e93
SHA1c900ba686f3fbeb07df5e7ba329ec6fa60e37050
SHA2567e3a87385dfafd0763a015d3397044099e8db5f418504a0040e1f56840d3f1b1
SHA512de8e8b50c66ff8c230f0724e23267c7474107942c6e5d524f94bed74cd8e5c918ad0dadf5b9c7d6b056d6b835ed1b8e6def9509ed4a14ce9b0d9ede0106836ad
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rz0s9619.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD59a10d369d20e76f5a54b6959c0f69140
SHA1ef58bb4dcf84d084a54400a2a5dcbb6981419abe
SHA256f9036f78f87df49897d75581883e611943ce75c61aa0e9422837da97d907803d
SHA512240b0a5e2e9a543c6ebc9bb3ae959031364754facca7ffb96f012ca663537ffe6bbf71b363c6dc747262d9fbfe8ea63439b6cbc1bf711846bba40497033a78a8
-
Filesize
2.4MB
MD5d342b0b1abfb52f8238f15947684c901
SHA1822148d3b2b2663c25b865a1f98516095c5e01b0
SHA256c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404
SHA512e6558c4cc35d8b1784602695a7febec0aef5c9b6fba90fe4a90a8da27592678da6f61655770f35fc425c3de1d970576117982cffb12a9f9d1942daf7b32e4f75
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD58daf94b97ec9ab1d0cf61f9ef429808a
SHA14e1a9a1813908a0c794eafb71779fb60b8418836
SHA2562f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437
SHA51287447bd5188c56e67f98d0e6299bd3e4b486d8632f227b72bca9865985ac6a485253474eec0d9ff5fc15f142b4244059d0b79fc608373a104eb78490a0cdac48
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
256KB
MD58c6935e87da511e3ce9e558dcb96c864
SHA1bb56f63e54e0a3ac846b6357fe506dd21b3c6532
SHA256ff1a8dbc2a33360cb7927cd6878b582bf82a4f8db0df8caf81b2e647be2232d8
SHA51217ef09eea0a54d485f590e06e269df7e5f5cd3a0f5b9e06817cae45ebdcdfb58d122882fa624f252126dc3e68efb595debf2c3cc9c8477b64ea33e82b22dff71
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz0s9619.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz0s9619.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz0s9619.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz0s9619.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz0s9619.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz0s9619.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz0s9619.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
992KB
MD5d89eaf4ebc18e6b14bf8781d4f01aae8
SHA122cc55b1ec45cde28e8c4a842674aa9457582938
SHA2564069d870535590fc613542a6182cae7bd2509f9581e9536d1467f1481085b0e7
SHA51297408edc051c9500e5ba510d4d725a9d81a09691f8da23e7b67defb0cf1d266341d9497f343ed0725a06f8c24127750ee6e30946d61d41c54006b41a1deb4c9d
-
Filesize
6KB
MD5095d13d2005c494126e5ccd7644913da
SHA18a5bd76d5ba3ad469a2e1efb81501aa002f11dd7
SHA2568838ae75d9f864c942d854390d372f0a7cfa57e2dae6c61f536a0b4cabc03eca
SHA512ec294990f854c2c0b6bf7b27a3f80fb7f85fa8e994e80547fa2af94207b5b32accb44e44150cc6af368587d5651311e24effd7f894d79a247c1fa659f78b6901
-
Filesize
7KB
MD5bc461790ba78aac8b8a75d5341f65449
SHA1100e2f6474d549349ccdca7e92d00577c56ca11a
SHA25632aec831d1019cf5a2869ec018841ea9792b25deaf5fc77d323a86bf969d0adb
SHA51248047452272a8e14ae0a1ba40639b45d5018f8e056ce9690bd19a21aecd87e35805829c64506fe682224f57e23765c78da70430e122e69bdc64bdce8ecbf6745
-
Filesize
6KB
MD5e43798e151a04ed3a0dabbd4ec874e0c
SHA17de0679c1c688128990ce454f75ea65b6d8f09cf
SHA256a75a7d47e413095538c34c41d56e0328ce2299491f69d2423b2e27fe3e328828
SHA5120e99f03126492448db256032426332ff4df352497b0a5bc443ebd240fe32a7007d94014dc6d6415e7490c4f7173b203319883f7a199458d1e4f11c9d57a7a05b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz0s9619.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD59c9a8a733b3101ddf92ac3786628411b
SHA11d7ee64c769655d25233c37aa8260512771880e5
SHA256d1f9300d76f4210f7b79803537583b5e0ddee5855f45e7d7ac495a254356b58d
SHA51200bcb7b89f32520966334ed45c6265ae7bc2082ee3ba78bfecedf66c8e3cac9c3b8206610227fff105b64b5bfe625cda201fac37c267ac8c76df3a8c0204ad15
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e