Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-07-2024 15:25
Static task
static1
Behavioral task
behavioral1
Sample
aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe
Resource
win10v2004-20240704-en
General
-
Target
aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe
-
Size
1.8MB
-
MD5
be9279ae8e72bd3949041c5d612c9fa0
-
SHA1
4dbce3694977610ff0aefeff93dfd83955a2b97e
-
SHA256
aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6
-
SHA512
723e0489a74951b28619ee433bf9fae53f294a31a47e2843d43b8b34f88ea4a350375a837a98903f1236e9e86308d97dd22ea763877a59f02888beb10c00246c
-
SSDEEP
49152:LUwzmoIrmSmUwvkdjfVWwshUl5cy0kS5xJw6:LUQIrREkdjA5eGyqbt
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorti.exeEHJJECBKKE.exeexplorti.exeexplorti.exeaa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EHJJECBKKE.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeEHJJECBKKE.exeexplorti.exeexplorti.exeaa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EHJJECBKKE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EHJJECBKKE.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exe38fca796db.exe69fe6f9294.exeEHJJECBKKE.exeexplorti.exeexplorti.exeexplorti.exepid process 3260 explorti.exe 2684 38fca796db.exe 3792 69fe6f9294.exe 7080 EHJJECBKKE.exe 3184 explorti.exe 6912 explorti.exe 7104 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeaa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exeexplorti.exeEHJJECBKKE.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Wine aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe Key opened \REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Wine EHJJECBKKE.exe Key opened \REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
38fca796db.exepid process 2684 38fca796db.exe 2684 38fca796db.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exeexplorti.exe38fca796db.exeEHJJECBKKE.exeexplorti.exeexplorti.exepid process 3248 aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe 3260 explorti.exe 2684 38fca796db.exe 2684 38fca796db.exe 2684 38fca796db.exe 7080 EHJJECBKKE.exe 3184 explorti.exe 6912 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exedescription ioc process File created C:\Windows\Tasks\explorti.job aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exe38fca796db.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 38fca796db.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 38fca796db.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exeexplorti.exe38fca796db.exemsedge.exemsedge.exechrome.exemsedge.exeEHJJECBKKE.exeidentity_helper.exeexplorti.exeexplorti.exemsedge.exechrome.exepid process 3248 aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe 3248 aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe 3260 explorti.exe 3260 explorti.exe 2684 38fca796db.exe 2684 38fca796db.exe 1836 msedge.exe 1836 msedge.exe 4352 msedge.exe 4352 msedge.exe 3480 chrome.exe 3480 chrome.exe 6368 msedge.exe 6368 msedge.exe 2684 38fca796db.exe 2684 38fca796db.exe 7080 EHJJECBKKE.exe 7080 EHJJECBKKE.exe 6308 identity_helper.exe 6308 identity_helper.exe 3184 explorti.exe 3184 explorti.exe 6912 explorti.exe 6912 explorti.exe 7052 msedge.exe 7052 msedge.exe 7052 msedge.exe 7052 msedge.exe 6192 chrome.exe 6192 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exechrome.exepid process 4352 msedge.exe 4352 msedge.exe 3480 chrome.exe 3480 chrome.exe 4352 msedge.exe 3480 chrome.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exechrome.exedescription pid process Token: SeDebugPrivilege 2152 firefox.exe Token: SeDebugPrivilege 2152 firefox.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
Processes:
msedge.exechrome.exefirefox.exepid process 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
msedge.exechrome.exefirefox.exepid process 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 2152 firefox.exe 2152 firefox.exe 2152 firefox.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
38fca796db.exefirefox.execmd.exepid process 2684 38fca796db.exe 2152 firefox.exe 6996 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exeexplorti.exe69fe6f9294.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 3248 wrote to memory of 3260 3248 aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe explorti.exe PID 3248 wrote to memory of 3260 3248 aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe explorti.exe PID 3248 wrote to memory of 3260 3248 aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe explorti.exe PID 3260 wrote to memory of 2684 3260 explorti.exe 38fca796db.exe PID 3260 wrote to memory of 2684 3260 explorti.exe 38fca796db.exe PID 3260 wrote to memory of 2684 3260 explorti.exe 38fca796db.exe PID 3260 wrote to memory of 3792 3260 explorti.exe 69fe6f9294.exe PID 3260 wrote to memory of 3792 3260 explorti.exe 69fe6f9294.exe PID 3260 wrote to memory of 3792 3260 explorti.exe 69fe6f9294.exe PID 3792 wrote to memory of 3148 3792 69fe6f9294.exe cmd.exe PID 3792 wrote to memory of 3148 3792 69fe6f9294.exe cmd.exe PID 3148 wrote to memory of 3480 3148 cmd.exe chrome.exe PID 3148 wrote to memory of 3480 3148 cmd.exe chrome.exe PID 3148 wrote to memory of 4352 3148 cmd.exe msedge.exe PID 3148 wrote to memory of 4352 3148 cmd.exe msedge.exe PID 3148 wrote to memory of 2324 3148 cmd.exe firefox.exe PID 3148 wrote to memory of 2324 3148 cmd.exe firefox.exe PID 3480 wrote to memory of 1492 3480 chrome.exe chrome.exe PID 3480 wrote to memory of 1492 3480 chrome.exe chrome.exe PID 4352 wrote to memory of 2392 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 2392 4352 msedge.exe msedge.exe PID 2324 wrote to memory of 2152 2324 firefox.exe firefox.exe PID 2324 wrote to memory of 2152 2324 firefox.exe firefox.exe PID 2324 wrote to memory of 2152 2324 firefox.exe firefox.exe PID 2324 wrote to memory of 2152 2324 firefox.exe firefox.exe PID 2324 wrote to memory of 2152 2324 firefox.exe firefox.exe PID 2324 wrote to memory of 2152 2324 firefox.exe firefox.exe PID 2324 wrote to memory of 2152 2324 firefox.exe firefox.exe PID 2324 wrote to memory of 2152 2324 firefox.exe firefox.exe PID 2324 wrote to memory of 2152 2324 firefox.exe firefox.exe PID 2324 wrote to memory of 2152 2324 firefox.exe firefox.exe PID 2324 wrote to memory of 2152 2324 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe PID 2152 wrote to memory of 712 2152 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe"C:\Users\Admin\AppData\Local\Temp\aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\1000006001\38fca796db.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\38fca796db.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHJJECBKKE.exe"4⤵PID:6972
-
C:\Users\Admin\AppData\Local\Temp\EHJJECBKKE.exe"C:\Users\Admin\AppData\Local\Temp\EHJJECBKKE.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7080
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHDHJEBFBF.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:6996
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000010001\69fe6f9294.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\69fe6f9294.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A911.tmp\A912.tmp\A913.bat C:\Users\Admin\AppData\Local\Temp\1000010001\69fe6f9294.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffeb9e4ab58,0x7ffeb9e4ab68,0x7ffeb9e4ab786⤵PID:1492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:26⤵PID:2816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:86⤵PID:4528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1900 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:86⤵PID:3252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:16⤵PID:3272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:16⤵PID:2080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4224 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:16⤵PID:5612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1880 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
PID:6192
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffeb9cf3cb8,0x7ffeb9cf3cc8,0x7ffeb9cf3cd86⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:26⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:86⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:16⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:16⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:16⤵PID:6132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:6368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:16⤵PID:6496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:16⤵PID:6504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:16⤵PID:6728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:16⤵PID:6736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:6308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2920 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
PID:7052
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"5⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.0.1107938817\1610053767" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22035 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22be7227-7411-49c0-98ab-6976d1360235} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 1840 1b862e0d458 gpu7⤵PID:712
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.1.1835959923\797782370" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 22886 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73c6d71a-9369-473f-8d26-8beae36802b6} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 2436 1b84ea84d58 socket7⤵PID:2212
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.2.1184062084\1354519612" -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3256 -prefsLen 22924 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7595a914-d3df-45ef-a59c-f2de56fb4d98} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 3272 1b86584b958 tab7⤵PID:1828
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.3.297973513\1536161421" -childID 2 -isForBrowser -prefsHandle 2980 -prefMapHandle 3124 -prefsLen 27575 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c3f0c65-20f5-4b47-b5c9-51ac3ac7a19f} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 2968 1b84ea76b58 tab7⤵PID:5192
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.4.349218032\1608961938" -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5200 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9db1f39f-618c-4210-854e-4e30657af2f1} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 5244 1b86a6bef58 tab7⤵PID:5588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.5.114590502\2035661826" -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5372 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7dd4b6b-bf15-495f-8519-d07bb274186a} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 5408 1b86ae7fb58 tab7⤵PID:5684
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.6.170471861\886261559" -childID 5 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c02fe976-39fd-4637-b555-da5ca3dcd74d} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 5684 1b86ae80458 tab7⤵PID:5808
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1452
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5388
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3184
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6912
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Executes dropped EXE
PID:7104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD57146ba5897357bbe4651b1a1c3f38bf4
SHA167c4acb51c5be9288844643339f4ce8df02dcf29
SHA2563e37c161501694341ab73a098fccedad90fc0827a6d80c7186485d5f2c1d8d66
SHA5124818d9a311a4c542d600630048ef212118e7a08d4bf7486ba1d144cab27ab80e52933182b021a632474320da72ffad795acc2e0867b4b6f838be6d4fed53b247
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD572e91617c6220d5b6f779867a84c154f
SHA1e12b59186ce9f5c6d511ab9f067e38a052059c3b
SHA256c5e5ee65b27b86bfaa6242a3216d0e2ca94123acf13522d09fc82b50ef1dfa27
SHA512228ff700b257a160ad847725b8f45d92169489943b016ff123d4e44d6150f4b6f10ca470e9dfcd54f9bbffb56a0ca7588c1c8beb8992d19bf3fb85e37ace5b43
-
Filesize
2KB
MD58331fa9dc34188d1f58f04139abc1445
SHA1edf25f3d4d3c0750a71b99eb5cc1d4230988f9db
SHA256735257e20eb5755d24d926063d4eb91230594f40d3724f6f1335d854f3201e0d
SHA5121d3c052394dac630ced5cb63150c4ce1f3d623e0dc7886c2ac4d473c6337ac7a588f211656fbd84f3f950947a962ec7ad7b23dced7af590790bd54262501ff7f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD5655b21524e3c4e3d601755e2272cf5a3
SHA14a44c76f09c81a24bb6b589080f24f73908e4fdc
SHA2564345554b6523290e01a9322669ef2fcaaf2676f413456a2ad4b89215a0825184
SHA512e52cfbaaf7da06ee777e279851c73dc805118150fee82665a1500b20a929af46319fc90e683fac34e987a43b46737cdc3c5f10283e7d2fb4e20a522e9d589000
-
Filesize
7KB
MD505c912a25c832004b765535c0964326a
SHA1f8f64cb03fa867dc92556ed3a2c80921c1cf9b97
SHA2564add8219ed3154e92a2097ee07d6ae727fa07a18124c7a3844d9e39a8a96105d
SHA51292832c0e3059f8208f135246a3976e4470c60b9238515cf3f829f93ca18a8b5a179c32871e9069bdd30277a9c126211ed507fc02db678514e4712cadce074731
-
Filesize
144KB
MD53cb15518e3e6aafcab3debd887ba592f
SHA1ef73dc838fe9a264917b050b98d51a367b4fcc9e
SHA256b70d28021714f52b619a1659f2cbb6d00a6c02a4ac1dcf4fa3a533539e98084a
SHA512d22ac1f13e4ff28e2e84bba2d76ee61186fadc1f1ba41ddd290c6f0270c4d15975e2088f2ba38c0adcf9e2a0ee0a126a8fcb50a00a64302002b92f812c027498
-
Filesize
11KB
MD5b1f23e041eeb8288f59c6339bb53c4be
SHA1219cfc38bd29e259c34948889daaf69ffc022917
SHA2566c1bf304a8963bcbe8e7fe62d2645819e1b8731f172761173c91ada1e00c54e6
SHA51205a019d829ab8f037545805da5122f9160311658d4e9ab9e9903e9da33ea79f5d0b6beb013bad1999a02d88937de73b21c1f5d97a5159b391d56607506959af0
-
Filesize
152B
MD5b88c419948b22d8f079311239c952096
SHA157bde0e55d3ad4c555f1dae4224a64a0d2375da9
SHA256d424881e070ffbdcf8801a339813bcd5dbdd9c1d121d197e7924adceeed0ab4a
SHA51276bcb75c16d21cb2f452f19562c2d311e3741c6aaf22128ec6b2c37159c9b28c3337ff6a57a38430b0c249d6d4eca7185a859ca32515dc44de106fb0a45d6c3b
-
Filesize
152B
MD58f99c482b569e51ec044a39d33e5aa9d
SHA1c4118d25e83679a64720b0c32ae30aa6fab0fe26
SHA256cc73e826d62a46c84cc26263266fb7015c15180e3844062e35305875b1180895
SHA5122693cc5e9b465a2296700d2563469b53460b82b87125793a638e9efd6b69b30fe232206b194b31fd07b85f9dc50b7aed92bf96845827d695088638b8574a8ab8
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
33KB
MD51c0c8433626cac08202f23a1dae54325
SHA13a5700eeeacd9f9d6b17c2707f75f29308658cd3
SHA2567aad4c7a174a145a4f9f11506145b521631ee2cb1ca2f7617b900ba515b31cd3
SHA512da693d1d63c9971cb80792063f0e8d3335edb67ee1dcde4040d0dc8f44398f99d9f683eaab8cf44ebf5cdb78eae6672d43fd9ed9b45a526a80a311d8c77bcc8c
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5daf6d0c89db3e2bf44f23905048cfd15
SHA10f3e88bd5ac3b25d381dd1a109058139fa134f86
SHA25602e0e788fa5e0b2cbf88373ad9b98599166e9fdadfce1a96b4e149b50852a9cc
SHA512a056be4e7d3bc4ed118ffa2aabcb72a77190c56a167a3889912e9cc1b84c7beb916d25f6c9e7ada812d2c4758575470d299b4df01bc5b77ea7e68f597938458b
-
Filesize
1KB
MD5fe590e11ee26e19a3f8aed889f46259d
SHA1a7f65b3b1a2353bf6495336f473fa1ee762364f4
SHA256f2237efa7665d208f3fc1eb0d99bd008cb2cf784df5f018e4dd8f0aa5f68d700
SHA512d989d1a80c8d68313c7cca808c6c71b9ed8a8cc7eee44adb9f7fe2cd83a035e139052b56019d06bc5fdde596577cf75f13308e5d115878b4d4a97bd5339635f5
-
Filesize
5KB
MD566e59aec1ddc25bee02b1c3c5002440e
SHA1a2aa4c2bf7d7b96d77ca8692fbe61fccb2795850
SHA256108df612d33637cac81679d54edfaf42275803b841fc960290a75cdb36b0e979
SHA51260f9f58baf7b83df530244cd4144604c278bcbe5a8d07ff29e1406013bb95d11d000aecf521e18d024714a3764a59fb3160c574d64f611bfbe6f7f5d95943704
-
Filesize
6KB
MD5b594dfac094bb4902be89bc1e7c7e9ef
SHA1e3b1ea40470a55782733ba4660b893745348c4b5
SHA256f3b05dd2385f11850dd59e4a32e21c4444e1bee72bc615642f63a8778eaaee81
SHA512e90ce649a7225dcfbb4bf7a7c6d82e4dde6001603cfb6b3e7e98f4cb80577bbf233538d54a13ef3b22dc38661fc925dc9df315658a7595bd22eed4efe0363662
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5d38942c9a77057aa742a5f10cbee5147
SHA11e55c57dbe89fd6b3181b9c102883ee87b9dafb4
SHA256bf5c25238fcfd4a2f791c5c355b7db4cf27664e903e245124cac6e06bd41e892
SHA51200528b12c9c1235e1c310a470122cb46c1c6bdc14f9c26eb68925c35ee2b31f0d5f5ff1d3f3a8f924818933eaca24b0812ee1d181141040c8711833f3d2bb37c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD50786b053d264943916126989a85f70be
SHA16b8a1bde03fa35e508a53c1a77ce3cc6033bc6f1
SHA2567ea6d81e7cdb993680156dbb713c6a4cd24b9ad324efd1dcfc5e1835db7a7bdf
SHA512fe6471c974209b84bedc1bb655781ecba3c9962134f0de4a4154b7170e48736fcfd0a7bc586048e903bd44f0804308f9671f4a4a7d140beeb4f3304e3d4ccb41
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD53f81dc9d813f50b04afae38c6ea1dce6
SHA13b788479ae3a20c9dc910f3bbcc8a69314220125
SHA25641929b327c0bce9bfb0ab993d7a3424a649fa622ccf250f78f9a8f6345197a8c
SHA5129b81ec7738a677a16942d348e6f4811d4d3f0028717719a2de674a61232877d2ac071624372cc24de6ae4875a2ad1d543b2b5308029ecb8a988bf2e804b9374f
-
Filesize
2.4MB
MD5c03d62f485ea79a178992f22c713c4a5
SHA1aa16eb2b07a4b91b44c9e484923eb8bbcaf893d0
SHA256546b5457cd26c9230fc49a456197aeeb761241adc2dd2774c37b1d3189968cb9
SHA5123051d67889704c3adfe2748612d88b40acdde17b3fcf54ef8ae7466bd38b121db130300b53c9db9a981292507cf830d99bcd86ccacf320ec0198faa40af043fb
-
Filesize
89KB
MD5bc08b445116ecc06852a929a5d302c4a
SHA1a78aa42220b90d47b4cf63119e6082f06b295f57
SHA2565b232254dd2d33eb576516116977c884fba81d5a8427f742a73655f9e076efc6
SHA512657a21d453112fb909be4005e0cab1ebf467840e275a159eb535b486432ffa0bfcc60da92475b26f08a0ea481c927654520a43163e04e34324551cb3bfd69fdf
-
Filesize
2KB
MD5de9423d9c334ba3dba7dc874aa7dbc28
SHA1bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA51263f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401
-
Filesize
1.8MB
MD5be9279ae8e72bd3949041c5d612c9fa0
SHA14dbce3694977610ff0aefeff93dfd83955a2b97e
SHA256aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6
SHA512723e0489a74951b28619ee433bf9fae53f294a31a47e2843d43b8b34f88ea4a350375a837a98903f1236e9e86308d97dd22ea763877a59f02888beb10c00246c
-
Filesize
768KB
MD58a5bb8959735941439a7ca88d86581ad
SHA18320582c79dd4563e10b3929de546f9f810651f5
SHA256489b98dc1520a910533dab7183b8d3473de19bc5f5481846fcf689310b23191c
SHA5126b56d3230e45b39ca50d0384feb8f4651507aa49c520d994d7aa2f130473542153a62826f61d6dc50ba10c47b19f1d1f2d15a494b39909526141194271417faa
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
256KB
MD56f35eec265031f5392ab5280302c7534
SHA11c02d828be829979f7089b36e5c9d0cc295964f3
SHA256dcc3d1bc5b86c0102214498310eab146b2c4cc69f22c86e9c4e001e9bf198adb
SHA512947a346be5c18e0d5135c4eaac62f361fec1fe1fae92d342902245c4f1f0a58d132c629847634e49c4fc42e673d3ca5a7bd6ef3db13ea204b26149a8ee9be0a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
992KB
MD5370680270f41db3431ad35e07a4f355a
SHA1d624f55f1771196c43556b71ed50a84395c1a9b5
SHA256f65ee9de68c484f02044813b2ce5b3902dc4f12738b9604fcbe362d62562d1fd
SHA51212d1ffcb801d0a878e73f599e9797679354c4d3873f8c2cda9ebe93eb857e26781f0943fc715c7875d635f3ec723e4a32926876e911f8f1b24fe1ed9338a6d4c
-
Filesize
7KB
MD5678b07760f06aa35ef9143e5e302ec0a
SHA1daa4d674161ba2378111b0641955513e678471fd
SHA2566e164b3ba2575a3d00a8e12b8be3df05a6acae039a1a5c8f2736a86fb965cf4e
SHA512c7d38a5da1abc1b18f4a36167f062e041bcc697713f1e2dac5f9e772557b3fac4efefba593d75550a6e21cb8f3bdf15984d8d0248962100533f73a4e81b16aa6
-
Filesize
8KB
MD5340c322cac4a49279b07e03f5bca8f0a
SHA1a504a9e1cea0e7a92933ef2dc67ec92fa188491d
SHA256685840b098efacd6351090901fb0047124c213b2dd21fae09265ae57ff360a20
SHA512c0e271221f6de6e7298fa3e77f380336cbe553333a809d4a589ef2ca23110df5d769b476ed2578fa13e72a1f4dc7d9c4f4c29cdf988eab531b5c09ef24c9e017
-
Filesize
6KB
MD54df6724633b09fc12be6cc6f2db30134
SHA1af48ac2b5d2d4ea12dcd80f7b9e07d562e8de770
SHA256494e8a3c13a9099289e076a5329cba38ab303ed0c6203265829894189e5b98c3
SHA512c2881435a9139d37fc7ae243ef4b6ac5cf20f51f3d1860cb151f10b04d21d95a96543e3957e1fa12da9e4214b573ba9409b42aadbf4390ee4ab4f83b3db810bb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5c200c241697c176ee888c312072eb040
SHA1d5877f760bf866ee94601a929fd4fdf948ed3c9a
SHA2561b98a6a69b3e2e865cf1d3ccf35dd0b3b03618bf24d6b30a62c847a1e06629bb
SHA512bce11e0cc3774299c9c17202416d67ef9aabe3c07566822fa293d4c860a71850e575e6375c6152d80243e4da98a2fdfd95dbd55dd0bc58a6c237ec9133074eb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize512KB
MD5f6a7b3b8ea095397fe08a2ff2dbe2224
SHA117f2b77a5c42d8634521d00b5c08395411d63360
SHA256a51631c8005fbdee18dbd5605ba4c2443d106984413bfaa4e045699f12b0b6f2
SHA512a46b4b729b17895fc86bc84461034762ce0ae6a2af73ed244705687d9ef6b5e7ffff2a43058245f2ff8fca5f6a4457e521ddb0b8e4b2fde41aeb00c196845b6e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e