Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-07-2024 08:00
Static task
static1
Behavioral task
behavioral1
Sample
38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe
Resource
win10v2004-20240704-en
General
-
Target
38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe
-
Size
1.8MB
-
MD5
c752f0590732e52d4f044432da95e183
-
SHA1
a28c1adeda34638d3432b044ebeedc46ec1eb077
-
SHA256
38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe
-
SHA512
eb3f2eb63f4e3a657b354e12cdc4897010aa74b9af3ba5aec46a1a367b01b6e756f2961fba2de54e8cdf3d7a57ee168e0f1ba42f04a517723ec008d0ea5cffe8
-
SSDEEP
49152:gdy3+YnSXMLjI0ZrMq9XDBEAF2cCHUCTeTlpLkreOHH4:gdy3+CzI0R9XdDTCHUXTgH4
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
DHDHCGHDHI.exeCBFCFBFBFB.exeexplorti.exeexplorti.exe38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DHDHCGHDHI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CBFCFBFBFB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exeexplorti.exeDHDHCGHDHI.exeexplorti.exeexplorti.exeCBFCFBFBFB.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DHDHCGHDHI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DHDHCGHDHI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CBFCFBFBFB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CBFCFBFBFB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe611d8ed037.exeDHDHCGHDHI.exeCBFCFBFBFB.exeexplorti.exeexplorti.exepid process 2936 explorti.exe 4456 611d8ed037.exe 6044 DHDHCGHDHI.exe 2376 CBFCFBFBFB.exe 5844 explorti.exe 6020 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exeexplorti.exeDHDHCGHDHI.exeCBFCFBFBFB.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3637012076-1497690007-2831451688-1000\Software\Wine 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe Key opened \REGISTRY\USER\S-1-5-21-3637012076-1497690007-2831451688-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3637012076-1497690007-2831451688-1000\Software\Wine DHDHCGHDHI.exe Key opened \REGISTRY\USER\S-1-5-21-3637012076-1497690007-2831451688-1000\Software\Wine CBFCFBFBFB.exe Key opened \REGISTRY\USER\S-1-5-21-3637012076-1497690007-2831451688-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3637012076-1497690007-2831451688-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
611d8ed037.exepid process 4456 611d8ed037.exe 4456 611d8ed037.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exeexplorti.exe611d8ed037.exeDHDHCGHDHI.exeCBFCFBFBFB.exeexplorti.exeexplorti.exepid process 4340 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe 2936 explorti.exe 4456 611d8ed037.exe 4456 611d8ed037.exe 6044 DHDHCGHDHI.exe 2376 CBFCFBFBFB.exe 5844 explorti.exe 6020 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exedescription ioc process File created C:\Windows\Tasks\explorti.job 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
611d8ed037.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 611d8ed037.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 611d8ed037.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3637012076-1497690007-2831451688-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exeexplorti.exe611d8ed037.exemsedge.exemsedge.exechrome.exemsedge.exeDHDHCGHDHI.exeCBFCFBFBFB.exeidentity_helper.exeexplorti.exeexplorti.exemsedge.exechrome.exepid process 4340 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe 4340 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe 2936 explorti.exe 2936 explorti.exe 4456 611d8ed037.exe 4456 611d8ed037.exe 4212 msedge.exe 4212 msedge.exe 2880 msedge.exe 2880 msedge.exe 4064 chrome.exe 4064 chrome.exe 4456 611d8ed037.exe 4456 611d8ed037.exe 1956 msedge.exe 1956 msedge.exe 6044 DHDHCGHDHI.exe 6044 DHDHCGHDHI.exe 2376 CBFCFBFBFB.exe 2376 CBFCFBFBFB.exe 5948 identity_helper.exe 5948 identity_helper.exe 5844 explorti.exe 5844 explorti.exe 6020 explorti.exe 6020 explorti.exe 5908 msedge.exe 5908 msedge.exe 5908 msedge.exe 5908 msedge.exe 4880 chrome.exe 4880 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exechrome.exepid process 2880 msedge.exe 2880 msedge.exe 4064 chrome.exe 4064 chrome.exe 2880 msedge.exe 4064 chrome.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exedescription pid process Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeDebugPrivilege 1452 firefox.exe Token: SeDebugPrivilege 1452 firefox.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe Token: SeShutdownPrivilege 4064 chrome.exe Token: SeCreatePagefilePrivilege 4064 chrome.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exemsedge.exechrome.exefirefox.exepid process 4340 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 1452 firefox.exe 1452 firefox.exe 1452 firefox.exe 1452 firefox.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
msedge.exechrome.exefirefox.exepid process 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 1452 firefox.exe 1452 firefox.exe 1452 firefox.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe 4064 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
611d8ed037.exefirefox.exepid process 4456 611d8ed037.exe 1452 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exeexplorti.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 4340 wrote to memory of 2936 4340 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe explorti.exe PID 4340 wrote to memory of 2936 4340 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe explorti.exe PID 4340 wrote to memory of 2936 4340 38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe explorti.exe PID 2936 wrote to memory of 4456 2936 explorti.exe 611d8ed037.exe PID 2936 wrote to memory of 4456 2936 explorti.exe 611d8ed037.exe PID 2936 wrote to memory of 4456 2936 explorti.exe 611d8ed037.exe PID 2936 wrote to memory of 5108 2936 explorti.exe cmd.exe PID 2936 wrote to memory of 5108 2936 explorti.exe cmd.exe PID 2936 wrote to memory of 5108 2936 explorti.exe cmd.exe PID 5108 wrote to memory of 4064 5108 cmd.exe chrome.exe PID 5108 wrote to memory of 4064 5108 cmd.exe chrome.exe PID 5108 wrote to memory of 2880 5108 cmd.exe msedge.exe PID 5108 wrote to memory of 2880 5108 cmd.exe msedge.exe PID 5108 wrote to memory of 3908 5108 cmd.exe firefox.exe PID 5108 wrote to memory of 3908 5108 cmd.exe firefox.exe PID 4064 wrote to memory of 2004 4064 chrome.exe chrome.exe PID 4064 wrote to memory of 2004 4064 chrome.exe chrome.exe PID 2880 wrote to memory of 3052 2880 msedge.exe msedge.exe PID 2880 wrote to memory of 3052 2880 msedge.exe msedge.exe PID 3908 wrote to memory of 1452 3908 firefox.exe firefox.exe PID 3908 wrote to memory of 1452 3908 firefox.exe firefox.exe PID 3908 wrote to memory of 1452 3908 firefox.exe firefox.exe PID 3908 wrote to memory of 1452 3908 firefox.exe firefox.exe PID 3908 wrote to memory of 1452 3908 firefox.exe firefox.exe PID 3908 wrote to memory of 1452 3908 firefox.exe firefox.exe PID 3908 wrote to memory of 1452 3908 firefox.exe firefox.exe PID 3908 wrote to memory of 1452 3908 firefox.exe firefox.exe PID 3908 wrote to memory of 1452 3908 firefox.exe firefox.exe PID 3908 wrote to memory of 1452 3908 firefox.exe firefox.exe PID 3908 wrote to memory of 1452 3908 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe PID 1452 wrote to memory of 1532 1452 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe"C:\Users\Admin\AppData\Local\Temp\38496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\1000006001\611d8ed037.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\611d8ed037.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHDHCGHDHI.exe"4⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\DHDHCGHDHI.exe"C:\Users\Admin\AppData\Local\Temp\DHDHCGHDHI.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6044
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBFCFBFBFB.exe"4⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\CBFCFBFBFB.exe"C:\Users\Admin\AppData\Local\Temp\CBFCFBFBFB.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\bcacb8d491.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffc0a82ab58,0x7ffc0a82ab68,0x7ffc0a82ab785⤵PID:2004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=2208,i,4903078165919065068,9616888620903486527,131072 /prefetch:25⤵PID:4352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=2208,i,4903078165919065068,9616888620903486527,131072 /prefetch:85⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1916 --field-trial-handle=2208,i,4903078165919065068,9616888620903486527,131072 /prefetch:85⤵PID:4652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=2208,i,4903078165919065068,9616888620903486527,131072 /prefetch:15⤵PID:1576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=2208,i,4903078165919065068,9616888620903486527,131072 /prefetch:15⤵PID:4072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4012 --field-trial-handle=2208,i,4903078165919065068,9616888620903486527,131072 /prefetch:15⤵PID:5340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1448 --field-trial-handle=2208,i,4903078165919065068,9616888620903486527,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffc0a163cb8,0x7ffc0a163cc8,0x7ffc0a163cd85⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2040 /prefetch:25⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:85⤵PID:2700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:15⤵PID:2768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:15⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:15⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:15⤵PID:5516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:15⤵PID:5648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:15⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:15⤵PID:6008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,8871109319881774332,7291745889388757075,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5040 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5908
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"4⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.0.1443360180\1007435338" -parentBuildID 20230214051806 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c1a4978-b0d3-4f44-a9fd-608568dbbc9a} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 1828 20b32b0c758 gpu6⤵PID:1532
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.1.1425987767\345234826" -parentBuildID 20230214051806 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {effe42c7-3993-4e27-9d6d-017abca027f2} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 2428 20b25e84d58 socket6⤵PID:4208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.2.285574139\887376370" -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3240 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {295a4605-8997-43f8-8f8c-6281133cc5b4} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 3256 20b35a65958 tab6⤵PID:3588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.3.580281948\1063326562" -childID 2 -isForBrowser -prefsHandle 2940 -prefMapHandle 2832 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fecb0cfd-e7f6-4021-a053-1d2cb2ba7b1c} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 3556 20b25e3fa58 tab6⤵PID:4848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.4.606643544\300164122" -childID 3 -isForBrowser -prefsHandle 4280 -prefMapHandle 5248 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {060e6059-fa2e-4b29-9572-bc4a67894fde} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 5228 20b3a7fd958 tab6⤵PID:6080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.5.29333501\1528100330" -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7615351-f277-4e5e-84c0-01409c2d4cab} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 5476 20b3ac9ec58 tab6⤵PID:6100
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.6.439823838\283104485" -childID 5 -isForBrowser -prefsHandle 5580 -prefMapHandle 5592 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36f7cfdc-e14d-4768-99e3-11c763067b2e} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 5452 20b3ac9fb58 tab6⤵PID:3256
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5076
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3288
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:596
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5844
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD5c4b1665f7b5b9882c3c9c27572a32efe
SHA1f1348df08bf74c5d5e397ab92b0a66a0bcc1aebe
SHA2562d7be75078c27767c333552c3aa0f7bb6333859dd5a0d3bfe03f19ed956deeb5
SHA5126a401921775a893dfe7baa5e57e951edad309c24617667bfee4bf5fbc4028f2e4d1bf1205afc9e324f6a6566207f8d57fc0bda58dd32f4484efe87a90ad65e36
-
Filesize
2KB
MD5a291ad2e7daef0f8e00c6cae471f6da9
SHA146b7d5a2647372eab979f30d9d6ece9c7e43b41f
SHA2566dd16e5a16f6d8f47f828b563fd2df0a3364234c2571c6302151b03ebcd192f4
SHA512d48f0c1287a9c4a027d00cc13d0f1a2e08f47da59d1754c0044b785ab90b28c00375fa13999a5bded4d4fd54856ec006d703ae515a863f9dbea1f2390dfe3adf
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD53d087712f43029460bf1ea9bed4f1210
SHA14c57a725ab90d860d35abd5a2bebcc94e61a9a77
SHA256a798ebec44d96a0aa2852081a7145168fa60872a838550cf0c292745f0d74502
SHA512a384fa225c7d5960e6731b21e41dbb7bcc9c9dd3ee6d5483fbcbaa779e9f17ebf749796d0e98f2e31ba0ddefeb263caeb816e3b3c444924d61014efd54132a76
-
Filesize
6KB
MD5f7ea70328db913480b69474ccc3171a2
SHA1e1359ce2cc212859fe803e27e764be0859415c1e
SHA25630a62590a17601888e73df62807c9e148635731538ab3cc1e163b01e0231134a
SHA512c21aa7d801ce462b2f28f85b16fc17b7603888ddb4ce3e81d8f02014c1f7725d4e80e50f774e6fa61b49439e17e8587c08eda08619b76ff880ec05b4d96ecea1
-
Filesize
144KB
MD5a4491f740bca36cb6ea76b2cd6501dcc
SHA1380d05af1d9c6519383497ae3d3ef5d6e7d8f064
SHA25650f1836a2d1372d10740cdcf1af6407e2c7f21eb5baeca428a397701495c2b03
SHA5124d785c1ab09cf80150d3a51fca0e63214f1f4fe3552d458c5b3fd32659482ab7cfe3843972ed776b76e9373042971169cc770a20e3b99f69bdaf5a672f0a7f54
-
Filesize
152B
MD53f42f939f0a7c91eef0187527bc7babc
SHA166d141ee21ab2de3a37f1d92e327aa184d828fd5
SHA25664a131bb18bd4844b4ea4b6bc84727c638b94523be764dad0b1407394c457c6d
SHA51218d62cb1f7d7229c37432e83f2356c865099caa9d43f716b465e8624d9288b1a3024bba84a1e83f6721c31a71eecdadf4118848ce4a63bf1230be4e16ead4178
-
Filesize
152B
MD5b297afa13018b3e24efaf2b905677172
SHA16d6d01d9b35901af0f4976d0819bab393e920f98
SHA256e810acf7bb28b7577c33ad7b22b3b849858e45e9c16ba316b0ba945ef48337dc
SHA51272dc4db9a40e9e0947c2d58835a75077d65f1f1939463aad5a81368be891890d8d19d1d9df858c957b5a43998ef6100b29710231496636cabc66a1e3a1cc6c2c
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD5feaf30524c04fb8d6b8d9faa94fd6a54
SHA1c41a1576c0cdac4760790ba6275501508fab6ca8
SHA2569be3d75032e1a73b13b2148b25ead37f0a46e97de6b6a7e1a041b4e0cda7a38f
SHA5126af79741aebc2f7187d5166826cec4501e00bd43b8752a847af916aa0047e579520d9c2e8077b1e7b37ce5189456734f03ce86beef57a50c33fa2d7b58ce63ad
-
Filesize
1KB
MD5626cab0f45396d2c68b1a96c3acbd4ec
SHA1b3876d99db0da2a4bc6b74deebfbcd98177d69cc
SHA256bc9b637c45399b68df2fde1b9628436cc7e51ab8049919d3dc342d5cd04ca3ad
SHA512e7bae256433a8ea641481a3e0be03113b44860b9432f03c99a995d7b0d0790a97b188c9ca794727ab4c8023b8a64b37110ea28fd16ac5ba5db0530e8540d2973
-
Filesize
5KB
MD5b09d809ed177f7291563f64f70f964a5
SHA1d3f0d811f8bdb4e2184816dbe0b86391d2a4c9e9
SHA256d91d5c5ccabd08d4345bbed2a235d1abf44f52e3bdb91fd698eb64c7e6d67c67
SHA512098ba1de4a24a8feb73180488bf9f95bcd01ab82e95c6f9bdbe227e2596790d53c105e721ae61cac5d4b0a315a1366baff5d94ff1c1f03ab2f9e5aabc10a3ec9
-
Filesize
6KB
MD5f9f1639c6c77d4732cc3a096b48eea94
SHA162ccc3e2b13f5d4dd2f3132caf915e6bef6af43d
SHA256fe68b7ebd5e328930888c44462fbb44b4b204c9327ad01e59332586e0a439e63
SHA512488be2f4ba94b2fb3cc5d61629037c11e1cdaba245e34b94435d05fde986c40b1ab9ea9b2677b567ca6d8deaadb37f384da48ced9180475ccc9191647090a8be
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD54d986a1ff13297bce048f8d09e51458d
SHA1f1970322e89496dc9f30698ac3fd4107098d776c
SHA256504ab410af7b45dbef3b3d388fd679d5f5575ed1699d4adff17b53abc1608533
SHA512d0d2f17e7bbc0d53f12f0ea6af439d260c4cf56ed5a03dd3224962d024ab27235b7193751a4d55ad14a878cd861c8c5bda405d0d4bda0027d1964f1f6cc9e862
-
Filesize
11KB
MD5730cdf8952401e09157acaf853591346
SHA1164a349222824dc8c60dfb03eea899fa0244c01f
SHA256fe9d851525cad4728ceda26e9ea09ce92dce043a5eac3528ab82c958a89daada
SHA5129ef5fb4e64f601726b48507cad00dea16a550949e048b5cdc6fb660745a809ddc0f7606a26d243cd840a7477a420e0d66f37347ea01fd268d5c780076b2b0dea
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bj62taxj.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5327cdde8656dc8e7d15ed98e6ddfc479
SHA11678a0d6f05d7eba4fbcff3f8cda8daba5b492ee
SHA256c31d8a86fd5bc0c7d5af9148b4ac08810284af3a8d885b0cb92ed44213f70535
SHA51279675094c7215b6b426e8a2cb48747df12d85014e79ebbf6e7e90960ffa6367058bf11fdc123cda4c95358f8fc5a6b0551b1ff1c1b7b7b4c603b0511d74a39a6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bj62taxj.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5ba7ec288bd231ccdada37aa04563f7d6
SHA1aa359c77d8460a463c38e9d6b05d98332f9ddf16
SHA2562a3ca9068bc2c8dab57a713cf515a5d0019dff8e0f20adbff09d085fe81862b2
SHA5129061251d3cf46fdc5a9dde06ebaf023dddf85223c65258bc0bf4ca33e2f279948457784f9599db5be6bcbfd1687aaece00d1208d0f530cd3651c990ead8e8c3f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bj62taxj.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5e6e4661bd80704ac0857278c86f8ccb2
SHA1105d02d4372e435eff0a265c0a421a6eeac944f8
SHA2568310d8fdbf31829d1366c43a6e1e6fc4c85df72c77c8ed83efb7d44d544b134f
SHA51229615650eb4ab2d33a3dfab19f9ee875c0669bda38269c8e7cb5c5e53ac9de9ac130742eb0551ab809db6d0e072eb8d6ae4116463dab9821041648ea9dd3ed53
-
Filesize
2.4MB
MD5510ef6656d676509abf2ff0e28ecda55
SHA10f61ea4fff3a4160ee5eadbec3ee35506c98b10f
SHA25642925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215
SHA51208870978ef501a7dfe0a1f0042a5373ce70f50308f6929d1940434a27fdc61ec230ac0df4d80299ab82ec05ef6263a3bc40ebf82b17d32074f5ca6000764ba0a
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD5c752f0590732e52d4f044432da95e183
SHA1a28c1adeda34638d3432b044ebeedc46ec1eb077
SHA25638496375a79e482a0e93c4713e6f7127732edf7f0be1743b663f2c3ce7ba9dbe
SHA512eb3f2eb63f4e3a657b354e12cdc4897010aa74b9af3ba5aec46a1a367b01b6e756f2961fba2de54e8cdf3d7a57ee168e0f1ba42f04a517723ec008d0ea5cffe8
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
256KB
MD5dfaa99ebb12d1a0be24839579c912882
SHA1df2749aa34703e94d680f42e397f0aaa0faf6839
SHA256163b411ab5a1dc8607619865c7e92037c5db0357960971b63c842e9cb808b225
SHA51270ea0d75569e97b825a1e5b09d8c9602a8e5d86a43a6bbcb0ecbde8a148288079b109dcbe5446318db99ff6afe48ced99d10c3ecb34bf61667a9d1c37bbe2821
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
992KB
MD5fbb37d5dd19481e8e474816a0f10e6e9
SHA16f63da0cd37af72d46e55eab34b709deaee58112
SHA25629c5890eaa3a5fb1f3f0285673ba7aebac830392fd1197470b43e46a862153a1
SHA51229243221f034d349c5afe34fb206ae26e8559fc1ce48f44d75c0c78739baf276c8807372c1584453959c1725c3171ed37d75bb7f618f018d5ddfb6771d62a177
-
Filesize
7KB
MD5b79ebfd9ffab7a169d37f75e8f9fbeea
SHA1216f9dfc83061dcc340ef099ead93cfb8dd6a94a
SHA2566a07a151b029cfff4a9dbf970e4cab72d205042b448dc321a2f039cf0b625923
SHA512ac90f5e78990f68125924ba7f5ea8ee43fe871ff50ddd1e045792ad9f958fe985e2b0ce3364a007981811d3750fb4c671d89b4d6032b5d8db52eb03695f515a2
-
Filesize
7KB
MD593cfc0dce3aee32bb6a708f0f110ca0a
SHA142f850ec649cb265d3f7b57007aa748fa916cd95
SHA256f3c654dd4d67c8fbde9cd5fa2ec66454ecf3f5bb8ec88c4bdcbbaf2796876fe6
SHA51265a0afa31e5ef9ea6710e621ea39f59e4649e60af841b68a8a3a7a4b6d7920abeaf703e50c959faa8f955ccdeec305be093b4d65b3bd653d399b4819d8aa6602
-
Filesize
6KB
MD52d9538e8a2459a08e3d1dca26b759efd
SHA1a4cbffe6315553b27c72cddb37bdc00bf9b0b988
SHA256ac63901018fb704813cd23f260b94cb759ad1dbc2a39f8c3865aa3539b3f46e5
SHA512b79b41f511604be3140fcb751ff2fc511ccd7e68dc6a4e6abe5ef57ea8055f847e333ee447d7e84873324bdfdaa066065f4acb70e7d6f55ecf84afe90fc151cc
-
Filesize
6KB
MD50d0286e36f50df9b8c65a8a3a581596f
SHA1c02b3a35b9c31e02849df5c9200afb569755e291
SHA2564846e7274da1b9ebb98f547f65b562157d0ec4d8e87364c5ccfb6a7f3b86e0f7
SHA512345ce94d03a7757098f31b49b0f0b05e4d9882dc0cb3bb9d864c8c0faff533f8598a4cc376aebc7ca7d77289232477a73dfbc72121e84fa018fb879322d7b32a
-
Filesize
6KB
MD5924ab34338382620b953025416361289
SHA128542d00c1ac9e07ca4999ad34664cb854eebf22
SHA2561aa93c553fbe908a1aaa23a45cc4a5c5086d988c6b6986342b86355e79f94b55
SHA512d94811a74c5a159e72868f3146f646252acb70e43e60c1d0ca2e1255a5005112d599d493f8c4a81ef371c5cdec48cb1c4a61de670cf882a2071e9141f0542371
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD580ebe6f3ede0e52398d21b0c1422f0b2
SHA192318fb6de8bd668d712da87b2c65800b1d93733
SHA2565932f22c573c588e7001dfd9e383a0cf921ffb75822a17a8be45b6ecd4452dfb
SHA5128e5d5449a18c2284cdd113d22754aeb83b4f26cd1ebdf9ea725e916354cc7fc676f3a60adf89801877cb1e37162fdb83cb14a8b674a6b7ed251c4716a41a4d6a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e