Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 21:39
Static task
static1
Behavioral task
behavioral1
Sample
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe
Resource
win10v2004-20240709-en
General
-
Target
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe
-
Size
1.8MB
-
MD5
8c6765fe39a0cf9b8c2ed1fb8649be1c
-
SHA1
1308a16f47a014b4fe35573d944f69629fbc1255
-
SHA256
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
-
SHA512
c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87
-
SSDEEP
49152:OumpRLWrfLQ/QeXgD2LWd3U0yze5ZQILCDNci6uX:OumuTCy2L1ze9Sz
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exeDHDHJJJECF.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DHDHJJJECF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exed86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exeDHDHJJJECF.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DHDHJJJECF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DHDHJJJECF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exeaca2ecacbf.exe38317c35de.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation aca2ecacbf.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 38317c35de.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe38317c35de.exeaca2ecacbf.exeDHDHJJJECF.exeexplorti.exeexplorti.exepid process 2044 explorti.exe 4212 38317c35de.exe 1824 aca2ecacbf.exe 3688 DHDHJJJECF.exe 4052 explorti.exe 3520 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exed86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exeDHDHJJJECF.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine DHDHJJJECF.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
38317c35de.exepid process 4212 38317c35de.exe 4212 38317c35de.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exe38317c35de.exeDHDHJJJECF.exeexplorti.exeexplorti.exepid process 884 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe 2044 explorti.exe 4212 38317c35de.exe 4212 38317c35de.exe 3688 DHDHJJJECF.exe 4052 explorti.exe 3520 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exedescription ioc process File created C:\Windows\Tasks\explorti.job d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
38317c35de.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 38317c35de.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 38317c35de.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exe38317c35de.exeDHDHJJJECF.exeexplorti.exeexplorti.exepid process 884 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe 884 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe 2044 explorti.exe 2044 explorti.exe 4212 38317c35de.exe 4212 38317c35de.exe 4212 38317c35de.exe 4212 38317c35de.exe 3688 DHDHJJJECF.exe 3688 DHDHJJJECF.exe 4052 explorti.exe 4052 explorti.exe 3520 explorti.exe 3520 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3320 firefox.exe Token: SeDebugPrivilege 3320 firefox.exe Token: SeDebugPrivilege 3320 firefox.exe Token: SeDebugPrivilege 3320 firefox.exe Token: SeDebugPrivilege 3320 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeaca2ecacbf.exefirefox.exepid process 884 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 1824 aca2ecacbf.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
aca2ecacbf.exefirefox.exepid process 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 1824 aca2ecacbf.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 3320 firefox.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe 1824 aca2ecacbf.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
38317c35de.exefirefox.execmd.exepid process 4212 38317c35de.exe 3320 firefox.exe 4772 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exeaca2ecacbf.exefirefox.exefirefox.exedescription pid process target process PID 884 wrote to memory of 2044 884 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe explorti.exe PID 884 wrote to memory of 2044 884 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe explorti.exe PID 884 wrote to memory of 2044 884 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe explorti.exe PID 2044 wrote to memory of 4212 2044 explorti.exe 38317c35de.exe PID 2044 wrote to memory of 4212 2044 explorti.exe 38317c35de.exe PID 2044 wrote to memory of 4212 2044 explorti.exe 38317c35de.exe PID 2044 wrote to memory of 1824 2044 explorti.exe aca2ecacbf.exe PID 2044 wrote to memory of 1824 2044 explorti.exe aca2ecacbf.exe PID 2044 wrote to memory of 1824 2044 explorti.exe aca2ecacbf.exe PID 1824 wrote to memory of 2092 1824 aca2ecacbf.exe firefox.exe PID 1824 wrote to memory of 2092 1824 aca2ecacbf.exe firefox.exe PID 2092 wrote to memory of 3320 2092 firefox.exe firefox.exe PID 2092 wrote to memory of 3320 2092 firefox.exe firefox.exe PID 2092 wrote to memory of 3320 2092 firefox.exe firefox.exe PID 2092 wrote to memory of 3320 2092 firefox.exe firefox.exe PID 2092 wrote to memory of 3320 2092 firefox.exe firefox.exe PID 2092 wrote to memory of 3320 2092 firefox.exe firefox.exe PID 2092 wrote to memory of 3320 2092 firefox.exe firefox.exe PID 2092 wrote to memory of 3320 2092 firefox.exe firefox.exe PID 2092 wrote to memory of 3320 2092 firefox.exe firefox.exe PID 2092 wrote to memory of 3320 2092 firefox.exe firefox.exe PID 2092 wrote to memory of 3320 2092 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe PID 3320 wrote to memory of 2284 3320 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe"C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\38317c35de.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHDHJJJECF.exe"4⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\DHDHJJJECF.exe"C:\Users\Admin\AppData\Local\Temp\DHDHJJJECF.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIJKKKFCFH.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\aca2ecacbf.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd91f5a8-5621-43e9-a702-ecddc524e1e5} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" gpu6⤵PID:2284
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {250a24a9-90bc-409e-a7a9-d53cf34a153f} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" socket6⤵PID:4740
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 1 -isForBrowser -prefsHandle 3356 -prefMapHandle 3116 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b89d805-0651-4489-918e-f849e7445c0c} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" tab6⤵PID:3032
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3716 -childID 2 -isForBrowser -prefsHandle 3712 -prefMapHandle 3708 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8208ad1a-7ba9-4a55-bc94-4df8fe7bc0fe} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" tab6⤵PID:3492
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4792 -prefMapHandle 4800 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6c72562-75c6-4c78-bde3-1e4c89db90c0} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" utility6⤵
- Checks processor information in registry
PID:3144 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 3 -isForBrowser -prefsHandle 5416 -prefMapHandle 5400 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b895eba8-e4ad-463c-b360-8f09bd8757d4} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" tab6⤵PID:3812
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d495aa09-d790-40d7-84ba-e78098e61950} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" tab6⤵PID:2412
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5824 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {884cd622-aacf-4862-be45-2f72de411222} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" tab6⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4052
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD57ea3e10b98c98c1c73d305fad77660de
SHA1faf60c3f054c9139be99c5a86625988b1f4faee7
SHA25661430008c20254c039c16df881dac16420eb1bc80c6fb9d1086da48a6bea9130
SHA51276819ad0278c205fa39d38d332fe11b88cf58fff8e4e89fd66d4540b4aa8866e710cc07984ce8f3d83405a71d969e434071536147b1c32a530e1ea43a6d054bc
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5a49ade3954ed63f2c3f5ea8851c42892
SHA16c8509577e513c550c110aaeebb620dbc5e1f320
SHA256c62a266532313c81c30575f1d9ae993058c49c27857f9de55164cf3e025867af
SHA512e710191afaeb9f0d22dc0787b77fde50f667f1df07def57a4774b31f56e07a0face678847167229f1e2db06933d9c441fcaee96177d188be8dd66193179011b6
-
Filesize
2.4MB
MD5b6bf96c3900b28a9970323938a1752bd
SHA1fff9ac5ee2a9849759bf02538f8a431738a894c5
SHA2561013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506
SHA512475848394c20823bf0c05f3d66ff27422b22670babde769f936791881d0da800cadf3ae08e0e99fe0a85abeafaa072672575d020de9267d87142047c1e1033ec
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD58c6765fe39a0cf9b8c2ed1fb8649be1c
SHA11308a16f47a014b4fe35573d944f69629fbc1255
SHA256d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
SHA512c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin
Filesize12KB
MD54d0db225a5582c98dcc4b61a393eb693
SHA1ebe6013aca7e9ac09defc34ad507d63b595d1269
SHA256d4650254f7922082125237db68f994f8e8c889890fcebd9634098c248bff1bee
SHA5124135ec52d0f1561b227f31ac2c53f44ea11a5cff70d92d5d6bda9aa19e5953c9a769c49b50be4811b5dd69f7eaedca27da8e48feda997e4c3e6498e51062d593
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD57e5860d20fdc848ea9b27c931f344efd
SHA1504a29984346fcfc690f460090e35421da5c6f38
SHA256ebfc45b0768909b50932145b0f11dbf905dc7c2f0338432b71fcabad07b07ea8
SHA512ce69307085c9f79dede2dc43b330b4a71b1a7599de789e3be390e58611cc867a66cd9f509386b3bc1706edf5a79e3a023a87159ec03cc9023feee52ed167873d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD570feb73ff859f0fe211d0db53f9738df
SHA1ad565054f2fad533f485d4d7e1c2181590c5e517
SHA256177d77d4738e2317f76d063ef87664cd3715d27b1526c4f4c75b6228f3d5b11b
SHA512c613b267c8ce4163560c5c4ad60dc451f4c11924fa3373fa85afc9df2c667f277323ae97c7e4b70cc3f5b9d7aa53a9c6fcd993185911892647b8749c5b1e18b5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize33KB
MD5e80371adcfe9b3d7a88140999af436c2
SHA17276084580a32ac982753edb95773dc728eb65f7
SHA256489ac07be0b2adcbe09bf7faca1b34d8f696e9cbe21368cffbeaee8fbb1d2e29
SHA51265d29d64de74018ce111a21b9bab3e182ae31779f2f784c423a69380f7f8494a20b92570834b395e7db044bec19a471ff3313d5cde8c9613ee50360066e9a5ef
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD57b1018646837b3b174c806f92bf04606
SHA116149dd84d2aad8329153222c88a8f9b8b8e5613
SHA2562f9fb60932ee8f43fc712c24ee4f427d594ada9efd1748b1a8b50812aa90d756
SHA512717c78b69f6d20f231aa2cb8087fa522aca5c768304f4d0fd3f7d7f8ca7357e9ad70eee42270ce50716f42bd353c856998aaa6f07e66a7f643e72c6596ad2704
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\339dd1dc-5200-4db2-8d50-31486e18cb3e
Filesize982B
MD54905c14b56671e5815518bf39e3d9683
SHA16942dfe7816a8145c503acae773fc95128eee6c3
SHA256c11bf7572d7b5eedf48f7df0ee1f90320f54e343bb0154c1ae645fb3a3edb257
SHA5120c4778c2311413ed4af97a5ac270ea06c336633e0f7f921269c7bce0768ab014a6ea415d66b982e1c7c000b783f0aa8c4a4de7565df04cdf270a998a24b572fa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\e3364892-0ed6-433f-b1d7-274e5f6aade9
Filesize659B
MD543d342e777a25206961cbbd73c12e62b
SHA167447c8d0785c957f0884b56758d4be30be78761
SHA2565ff4fb5b24e8f0d2250206e93f654859b72b4694edb7f9cd6fa86a123f19f294
SHA51203f1b205aa2ed44d1fb9ad9ea63f6b8e2734c32d0c113a5abf92d67a956dcf084f00b2dec7716c0704b52b0bc90121ee1820fedb0cf2d1e957bd57b841e316bb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD55f44311da1fd7981add55698cf510943
SHA10f6e61fa51ca5fd9e1546102483f9baf9b115d39
SHA256672dd494a1f5b1fc6eec424d0528fe023174d6a81e50cc404f162ab98318f302
SHA51243b58ac868c73bd7300d35affd5e8df0b8fcf92696c3c8a9694fb14152d0c46d078f7823fec31e23988d218c451688cb10362a6f4665337450809c5b582a131f
-
Filesize
13KB
MD5ff6769a6f8c7823ded3e76700ea90673
SHA13b0fa98ce962982de4badef7d8eaf23bef8fadca
SHA256231d0aacbadf0ef33df175bf6ab296839daf248ea04731c1d94369b2c2bc2787
SHA5126cdea18b00fed4c7ab8962e1fcf86f6daaf6ab5dac9d8f7f4dbd0d2e0f226cbf023700bd91fb9816bf212f8af80372c7a108607ca5326bbfe5c1865d07b634fb
-
Filesize
8KB
MD5defcd451dd76cffa2c2ec80c1764a530
SHA1c9096964e6db388270ed829006705bdde9f85422
SHA256509259ce8b3628611cb21f4817c12db332b975dc38b6c0055998efe5e3f8aeb7
SHA512b2db0f214ffc728224baa8763a1b7d0df3717bcd1b0201a241faf0496a502c26f2d557e34b3e3d12278d68dd42ece1bc96c6c23fc5d6255831d1009163cbbb56
-
Filesize
8KB
MD5ac6e4c459fb32c9507fa7bfcfc4bfa01
SHA1d0e0c0e5ca247c1859dc56b5358adc1bfc19b50f
SHA256fe40b584501915429da42e9e1fa6d56bfab95f058410777f87f005ec7d0f9e82
SHA512357e5be327a0689dad3446822f0802d1ffaba258fea53e0e7dad5e2a99aad283dcd0e19ea020ed64d96998d9f2039efe6dded7e92018f7e836d194af942494b2
-
Filesize
8KB
MD530cc00d0a48ef3290836a675631eb5df
SHA1e9c26ec823d4fcc0e6a8dc881e8319d439b3315e
SHA256d0c823d6e9ba525033051684fabf1b48e323f0592f24be1e5e84699284737a12
SHA5127022f958a4ca2edd8d1cde68b55138cd3508210d99573cdfd3c8122aa22353a6f637288b886251b847ccd6ac458774438a74c497b6279e2c7f1cd3c4e3f32236