Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 23:25
Static task
static1
Behavioral task
behavioral1
Sample
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe
Resource
win10v2004-20240709-en
General
-
Target
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe
-
Size
2.4MB
-
MD5
1552573045f153aa7269a30d3a1dd151
-
SHA1
d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
-
SHA256
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
-
SHA512
8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460
-
SSDEEP
49152:fUJ0tlSm5vh9dwM4tYensXVh9uZl3Rh7LRCFIg6EWkJeectmfdF:M2VR4t/sFbgdRh7CWeeeww
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeexplorti.exeKJEHDHIEGI.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KJEHDHIEGI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
KJEHDHIEGI.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KJEHDHIEGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KJEHDHIEGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.execmd.exeKJEHDHIEGI.exeexplorti.exe6728fd7bd0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation KJEHDHIEGI.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 6728fd7bd0.exe -
Executes dropped EXE 6 IoCs
Processes:
KJEHDHIEGI.exeexplorti.exee1010ef8e3.exe6728fd7bd0.exeexplorti.exeexplorti.exepid process 3408 KJEHDHIEGI.exe 3080 explorti.exe 1696 e1010ef8e3.exe 2436 6728fd7bd0.exe 4940 explorti.exe 3292 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
KJEHDHIEGI.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine KJEHDHIEGI.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exepid process 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exeKJEHDHIEGI.exeexplorti.exee1010ef8e3.exeexplorti.exeexplorti.exepid process 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 3408 KJEHDHIEGI.exe 3080 explorti.exe 1696 e1010ef8e3.exe 1696 e1010ef8e3.exe 4940 explorti.exe 3292 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
KJEHDHIEGI.exedescription ioc process File created C:\Windows\Tasks\explorti.job KJEHDHIEGI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exeKJEHDHIEGI.exeexplorti.exeexplorti.exeexplorti.exepid process 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 3408 KJEHDHIEGI.exe 3408 KJEHDHIEGI.exe 3080 explorti.exe 3080 explorti.exe 4940 explorti.exe 4940 explorti.exe 3292 explorti.exe 3292 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4360 firefox.exe Token: SeDebugPrivilege 4360 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
6728fd7bd0.exefirefox.exepid process 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
6728fd7bd0.exefirefox.exepid process 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 4360 firefox.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe 2436 6728fd7bd0.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.execmd.exee1010ef8e3.exefirefox.exepid process 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4100 cmd.exe 1696 e1010ef8e3.exe 4360 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.execmd.exeKJEHDHIEGI.exeexplorti.exe6728fd7bd0.exefirefox.exefirefox.exedescription pid process target process PID 4004 wrote to memory of 2640 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 4004 wrote to memory of 2640 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 4004 wrote to memory of 2640 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 4004 wrote to memory of 4100 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 4004 wrote to memory of 4100 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 4004 wrote to memory of 4100 4004 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 2640 wrote to memory of 3408 2640 cmd.exe KJEHDHIEGI.exe PID 2640 wrote to memory of 3408 2640 cmd.exe KJEHDHIEGI.exe PID 2640 wrote to memory of 3408 2640 cmd.exe KJEHDHIEGI.exe PID 3408 wrote to memory of 3080 3408 KJEHDHIEGI.exe explorti.exe PID 3408 wrote to memory of 3080 3408 KJEHDHIEGI.exe explorti.exe PID 3408 wrote to memory of 3080 3408 KJEHDHIEGI.exe explorti.exe PID 3080 wrote to memory of 1696 3080 explorti.exe e1010ef8e3.exe PID 3080 wrote to memory of 1696 3080 explorti.exe e1010ef8e3.exe PID 3080 wrote to memory of 1696 3080 explorti.exe e1010ef8e3.exe PID 3080 wrote to memory of 2436 3080 explorti.exe 6728fd7bd0.exe PID 3080 wrote to memory of 2436 3080 explorti.exe 6728fd7bd0.exe PID 3080 wrote to memory of 2436 3080 explorti.exe 6728fd7bd0.exe PID 2436 wrote to memory of 2812 2436 6728fd7bd0.exe firefox.exe PID 2436 wrote to memory of 2812 2436 6728fd7bd0.exe firefox.exe PID 2812 wrote to memory of 4360 2812 firefox.exe firefox.exe PID 2812 wrote to memory of 4360 2812 firefox.exe firefox.exe PID 2812 wrote to memory of 4360 2812 firefox.exe firefox.exe PID 2812 wrote to memory of 4360 2812 firefox.exe firefox.exe PID 2812 wrote to memory of 4360 2812 firefox.exe firefox.exe PID 2812 wrote to memory of 4360 2812 firefox.exe firefox.exe PID 2812 wrote to memory of 4360 2812 firefox.exe firefox.exe PID 2812 wrote to memory of 4360 2812 firefox.exe firefox.exe PID 2812 wrote to memory of 4360 2812 firefox.exe firefox.exe PID 2812 wrote to memory of 4360 2812 firefox.exe firefox.exe PID 2812 wrote to memory of 4360 2812 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe PID 4360 wrote to memory of 4216 4360 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe"C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe"C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {548b8f68-8d08-4582-b5d2-448ae5df9991} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" gpu8⤵PID:4216
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c522d834-821f-41c7-b07a-2eb0fd87d481} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" socket8⤵PID:4308
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3232 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 3224 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc54406a-1b89-4c68-a282-8b392bb20efe} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab8⤵PID:2720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 1260 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a0d8942-953f-4173-a1f5-107968e645a0} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab8⤵PID:384
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4572 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9d59616-82fd-4394-82ab-b22457ba7b1f} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" utility8⤵
- Checks processor information in registry
PID:4540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5276 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23b4614e-d9e7-4eba-8307-f5671ad0920a} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab8⤵PID:4876
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5440 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4d087f-521b-4009-b469-595a39eb8826} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab8⤵PID:4316
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4564 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5668 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a86f973-2613-43b9-8d31-a386fe7fa2fa} 4360 "\\.\pipe\gecko-crash-server-pipe.4360" tab8⤵PID:4740
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHCGCFHDHI.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4100
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4940
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD51df1250c05332416621b397d94ac6f33
SHA17eeaa8a16f461590976eff10bc6970e39aea8f05
SHA256bc5ac04f768bc530a50e820d444e21a5174764f97e4a6c912d0c7c4e428e21c5
SHA5129252c9d388234aa81a8ba2d0f2c5e56730cdd77b64ecfa09a119a4d87e8746b08c42fb69f6dade8eb84dad1fd140705fba61dd443545d41d0ed6bd638424d616
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5d066482006a1fb383085a85522e0f0f5
SHA18f5648af238c6f388c6442410e45c6fff455a2f5
SHA25658c5ae93c55608b30005d589ec7307919850c09efb86787fdfa097a1ceb89ec6
SHA51222b1de9fcef9075ea602641254c6c532a41ebcdb72356b937b948d268dc5eefa05e2634ebd21c9c6bf7fd678ab83964224a5276c3c9b98b9c7576a0076cf3f3b
-
Filesize
2.4MB
MD51552573045f153aa7269a30d3a1dd151
SHA1d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA5128301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD5e8dd22ee36d1c52d657cf17d1cb7d3ef
SHA1173c7859c41f254327d08351f17569b2ee6b9e00
SHA25660204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16
SHA51237636a17778b5bf2d531e20f05601541e6ac4a4e0e973149bd2e4fb08324077dfbab5c1c848b81895f2e657113c5290604ffe6c59e783a3c443827a53e837fd9
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin
Filesize13KB
MD54947083034c9a2f86fc1e10ba43ccc08
SHA1cbedbb5a50c2b1b7d317c758e177aac62478cad3
SHA256c91863614b7f5be79577d5bdc4181144f24c34fb3155890f804aad85b0be3b52
SHA5129025d2c15598d1a1420226a499304c2090d71fe82eaaa81cd6a23401d54234bc14ee5e4dbd95904827ce1030211bb6dd7e918343395ee83a3a5b47c4b78ec0d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5fa3eef5126e73d2450a318aa594d65af
SHA11023d20a0d40a656086f7cb5ee6d36f228d4d1b9
SHA256cd9904f7775ae52e1ee218b78f3b9a315111c3aaa7fa9849c8f299a7322beedf
SHA512be0dc2a01e72559726dc01e1c39affd31ab32173e759460a1323e0cd702679fa5ca788a9a493db59ee2324933f692659e3d3a7d0f2b96cd4f92b7a7e044b9312
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD522beb8cd378d311bb7d227310ee23220
SHA1a18be4fc712b5c8c01c08b57c0571fe94a85c9a8
SHA2560e8326e9fa85c6bf4edb13cb43d45bb36a700563f26ae05384c9df2d9acb5d86
SHA5123faabac79e6e1424b9b8b53ed46938f4fb82b0e50d02f8381e8ac54a9fff785cf580a851dfdd2f37cb46dd7c96fd46e7db57146539ba8564c6fb9c4013d2d318
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5644a3cb25ba72f642bb1c26bc42db894
SHA117de6fbfb487d83e5cd22104daf5c17917fd9627
SHA256698763cbae117c75a366d19c72c7e6f9704e2b3cda2b4f161d796f06c4604096
SHA51265856e339147936db052210ff5d1c368c9279f1efbf453da953ecdfc80f883c8e4fc2f6dc5ee4cdf8275871866a4a30c89b809e3114921cfc3cfa966c6a3b5ed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5e9ed2bdf3574c9bbede09534463c6683
SHA13b26c22896915a2635f1d619b7e98ce54f21d3b9
SHA2569f166776e93988e0525e2230da78e71c25f96b185e52bd9477201256c70f85b9
SHA51278bb9c27610aa3e6ad07651439359814e92432ec6a71a6a6b2c37bdd7f29c72aaee44a3679b7bc391706a16526996f0afbb6e5a88559adc7297eea1bf747d4c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\51c4944b-f924-4921-978a-8a694102e6c2
Filesize659B
MD5bb48e4d9b4ae1fd2d9b289d7fb19719c
SHA12438607ffafd4ac4788d86836d33a4b78c765e91
SHA256060338d0447ea2344beb10da494ff06c158ff3d50b538a915ef07342c2463b10
SHA51270af85081674f88a790d7f312a17017eaa9f6fc0542be5c5d199c764c3f68aa99f78bea90988a7e5c5de9509616c45f525619b2052621d13a070512da1e7e34b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\7559e813-6b52-498b-8909-90fb0ec7dee5
Filesize982B
MD5d0d2ee8209d4714d6ef55633d109a8fa
SHA1626e2ba8af31cbecd43b26dff02a53fb26f48a68
SHA2561b69fec1437d4d0691b8752673a5aa9846001db9831a331fe7d215568b6ffdb1
SHA512a4060fecf3147f2fabc87ea5e61c9c512b27fc6b256770d18b67f996dc51cfa0765e86fd8f2294486e3b4e704447c5acee333c3a35bf9360a2339fad96a6627b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
8KB
MD53807363ca9fb5a3c8abe76ccd2fa11ba
SHA119f64b4e6cbfcc69ce254fcb6fbb16a7bd65cadb
SHA25691ce83218dd8680d8e53c22d7fddf1dfe7e704f4d197af2fe4fc3a2ffb7712b5
SHA51241e0bf808b876495306f4dc9c3317734b9e56e7ca81782be93f7abc39fbd36ada3e3231c1a2cf079d29e8a98699cef2defe7b24f96d0db55886a59583d854acb
-
Filesize
10KB
MD547932c0a8b892632f3e16b272cb3ef8a
SHA103d1a1cddc9b487e131b2c4d1b1a9c1c08d60856
SHA256a32f0428cdd1a2fae076114515ea6e0ad375d3955f86b4e528e9e046d522c0f5
SHA512443ae005eadea13a9db6900714bb0b37a48da153d8fba5481123548c53e6b368168aaf7b88e0d98aa64a22abcc31dbf04e1cb9b72bada5b53e2669905899d4c6
-
Filesize
13KB
MD555138fd45f667c7d990a7c149c76168c
SHA1d69c6e97cdc4763bbf8d79f3266a22b1cd32fbcf
SHA25648aa08c9227b3370700f54bb6c889345b7cfc3c64314b77cf7530e9a59012fb3
SHA512a70701c947e920dab8a0084d90cb7e29b15fb087586bc9425c275ac697a5997a04eec69c7a3ce989b5dd0aa4af17e1771e5486e8651cf3179a61fc343349c581
-
Filesize
8KB
MD535b70d6d082c4d8ad2caabe9883895fc
SHA184bf2e554c0fc4fde0def0a94d509605ec15ffaf
SHA25679ee22834a66a7ac9b76b7b43a0cba5938d29a0906a0d27d87d0874ef8c43e40
SHA5126d6d4d80af9b9389be49c3211bdda9670a96a2fca00248f8dfe5254dcebd9a2f61260551c1abd9f9442aea77e2fbec5ce05da4e0d01373b7bca780c5d9c941e5