Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe
Resource
win7-20240705-en
General
-
Target
1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe
-
Size
2.4MB
-
MD5
b6bf96c3900b28a9970323938a1752bd
-
SHA1
fff9ac5ee2a9849759bf02538f8a431738a894c5
-
SHA256
1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506
-
SHA512
475848394c20823bf0c05f3d66ff27422b22670babde769f936791881d0da800cadf3ae08e0e99fe0a85abeafaa072672575d020de9267d87142047c1e1033ec
-
SSDEEP
49152:vNXu+em7jvl9vusinK4BwNH+T7m4/OKp0Pu46RKebeb9kbXb8ddhhtQhCvOaY5dY:vNe+VZ9vusiK4BwNHi7m4mK7Webeb9k0
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeFIIIIJKFCA.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FIIIIJKFCA.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeFIIIIJKFCA.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FIIIIJKFCA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FIIIIJKFCA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0437d5223f.exe1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.execmd.exeFIIIIJKFCA.exeexplorti.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 0437d5223f.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation FIIIIJKFCA.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
FIIIIJKFCA.exeexplorti.exe0aca70c242.exe0437d5223f.exeexplorti.exeexplorti.exepid process 1072 FIIIIJKFCA.exe 4796 explorti.exe 3524 0aca70c242.exe 4264 0437d5223f.exe 2968 explorti.exe 3492 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
FIIIIJKFCA.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine FIIIIJKFCA.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exepid process 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exeFIIIIJKFCA.exeexplorti.exe0aca70c242.exeexplorti.exeexplorti.exepid process 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe 1072 FIIIIJKFCA.exe 4796 explorti.exe 3524 0aca70c242.exe 2968 explorti.exe 3492 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
FIIIIJKFCA.exedescription ioc process File created C:\Windows\Tasks\explorti.job FIIIIJKFCA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exe1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exeFIIIIJKFCA.exeexplorti.exeexplorti.exeexplorti.exepid process 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe 1072 FIIIIJKFCA.exe 1072 FIIIIJKFCA.exe 4796 explorti.exe 4796 explorti.exe 2968 explorti.exe 2968 explorti.exe 3492 explorti.exe 3492 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4920 firefox.exe Token: SeDebugPrivilege 4920 firefox.exe Token: SeDebugPrivilege 4920 firefox.exe Token: SeDebugPrivilege 4920 firefox.exe Token: SeDebugPrivilege 4920 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
0437d5223f.exefirefox.exepid process 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
0437d5223f.exefirefox.exepid process 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4920 firefox.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe 4264 0437d5223f.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.execmd.exe0aca70c242.exefirefox.exepid process 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe 2180 cmd.exe 3524 0aca70c242.exe 4920 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.execmd.exeFIIIIJKFCA.exeexplorti.exe0437d5223f.exefirefox.exefirefox.exedescription pid process target process PID 2268 wrote to memory of 5060 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe cmd.exe PID 2268 wrote to memory of 5060 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe cmd.exe PID 2268 wrote to memory of 5060 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe cmd.exe PID 2268 wrote to memory of 2180 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe cmd.exe PID 2268 wrote to memory of 2180 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe cmd.exe PID 2268 wrote to memory of 2180 2268 1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe cmd.exe PID 5060 wrote to memory of 1072 5060 cmd.exe FIIIIJKFCA.exe PID 5060 wrote to memory of 1072 5060 cmd.exe FIIIIJKFCA.exe PID 5060 wrote to memory of 1072 5060 cmd.exe FIIIIJKFCA.exe PID 1072 wrote to memory of 4796 1072 FIIIIJKFCA.exe explorti.exe PID 1072 wrote to memory of 4796 1072 FIIIIJKFCA.exe explorti.exe PID 1072 wrote to memory of 4796 1072 FIIIIJKFCA.exe explorti.exe PID 4796 wrote to memory of 3524 4796 explorti.exe 0aca70c242.exe PID 4796 wrote to memory of 3524 4796 explorti.exe 0aca70c242.exe PID 4796 wrote to memory of 3524 4796 explorti.exe 0aca70c242.exe PID 4796 wrote to memory of 4264 4796 explorti.exe 0437d5223f.exe PID 4796 wrote to memory of 4264 4796 explorti.exe 0437d5223f.exe PID 4796 wrote to memory of 4264 4796 explorti.exe 0437d5223f.exe PID 4264 wrote to memory of 4896 4264 0437d5223f.exe firefox.exe PID 4264 wrote to memory of 4896 4264 0437d5223f.exe firefox.exe PID 4896 wrote to memory of 4920 4896 firefox.exe firefox.exe PID 4896 wrote to memory of 4920 4896 firefox.exe firefox.exe PID 4896 wrote to memory of 4920 4896 firefox.exe firefox.exe PID 4896 wrote to memory of 4920 4896 firefox.exe firefox.exe PID 4896 wrote to memory of 4920 4896 firefox.exe firefox.exe PID 4896 wrote to memory of 4920 4896 firefox.exe firefox.exe PID 4896 wrote to memory of 4920 4896 firefox.exe firefox.exe PID 4896 wrote to memory of 4920 4896 firefox.exe firefox.exe PID 4896 wrote to memory of 4920 4896 firefox.exe firefox.exe PID 4896 wrote to memory of 4920 4896 firefox.exe firefox.exe PID 4896 wrote to memory of 4920 4896 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe PID 4920 wrote to memory of 2552 4920 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe"C:\Users\Admin\AppData\Local\Temp\1013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe"C:\Users\Admin\AppData\Local\Temp\FIIIIJKFCA.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\1000006001\0aca70c242.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\0aca70c242.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\0437d5223f.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9079819-9860-4263-90b6-79bdda0482d4} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" gpu8⤵PID:2552
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f551bbd-4c3f-470e-a6e6-fae2f6fb3dc3} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" socket8⤵PID:1816
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1736 -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 2764 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d6a1d45-7009-4a37-ae59-14d80f5ebf73} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" tab8⤵PID:4192
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3916 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2d57aee-6cda-4e51-a658-5b8d4382c1ad} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" tab8⤵PID:4352
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4708 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a706073-a32e-4023-b8bf-179a27c6256f} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" utility8⤵
- Checks processor information in registry
PID:4296 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4476 -childID 3 -isForBrowser -prefsHandle 5556 -prefMapHandle 4468 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e924bda-6f12-4bb1-abec-2e4837fec1dd} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" tab8⤵PID:2944
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 4 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d47276c9-6271-4889-ad88-c0b977c5a1b7} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" tab8⤵PID:816
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5852 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4a9c942-e117-49af-97bd-e9954fd27e0b} 4920 "\\.\pipe\gecko-crash-server-pipe.4920" tab8⤵PID:3272
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHJEHJJDAA.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2180
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2968
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD564019d8dbbaddd0e8da5a4787cf525c1
SHA1976bb146d69e83b79bb91a94309441a95afdee5a
SHA256bd7bcf18ad06fac16e775908c1c3a116119116e8e1941c2545ffd2f3666c4194
SHA5122c634771da1a0e4594ee41da4c98b03f5aa2420be126f22277ca22d04ef6d17d26587cd1a583c474736e843b443141c67fcda66cefcdd8227c59e8a4039a1fa5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5d1697a7678d189c83c19487c38fe3b4d
SHA1d3c13869e483ee480b9e52e6ac526fe8427d0498
SHA25676218f74d8f92b01316b5a6a675a52a0d706bcdac8c0eade336da785038b5bd5
SHA5129a6d358ad4607e2c0d89fcc6e6ac10940733578078a9dd60d05006ab0bb03a29a536511f5e4b53ae3cb7c72be7622f74953de4f2643ddd71f6612dbcfe9edc68
-
Filesize
2.4MB
MD51552573045f153aa7269a30d3a1dd151
SHA1d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA5128301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.9MB
MD5a7ae46b0e7a0e279a3ac3151958fef99
SHA17d3d8c2c1dea8b585f58bab81c9fa86afc7576fe
SHA256f9e7ee889ee40ba497d750182ff74e3a6ad4d9a54710785548d1f47f24239a7d
SHA51248e59e2c32fd089a4cfcbbea546c936a004a1329bf908c4f8c2f22438d5c787416b3bd497072c4d450decabdd329b3c5ceb60f8fbd1f1531f4bc82be33e85107
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin
Filesize8KB
MD527487aa1d8e40c652e3525d0e6c60beb
SHA1f5c197c803e09015c3c60815d167860148470700
SHA256de781b6c657e98c12c587e4302de161970b90e83e0d415b1575dac430a8d3c2e
SHA512f90b5046e798514c4d16a16cff24d7c669656cfef24bf149db5d68127e90917d12615d9a60ccb18e5adf0050320ec22a74dc6accca3bae5fadbbc6d101888e0f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin
Filesize12KB
MD5671586a4e312d5be5654dc4aa414dbd1
SHA1ffd2f33c20dcd882144f9b761909ceee04a28007
SHA256862963d7633a29279573a343038802f1dd064ab4e228f57909867e52bdf06b67
SHA512c48fd76d035592924f10a80c65785bf4100931d597943d656bf98c9292bb39fbadc5efd4fa9073ce5137d4f79b8c2ceaf8ef36265bc02b94f543ec7c878f6515
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD54512cc9bf1744ddbd11f930fdfc67c48
SHA17c63a0f248b0e3191a107f82ae7d3c00bc1857d2
SHA256b910f5cc5f54d247a6799cde2a2e6b94b5315cd8748e0c8a9b1c512d2fde802a
SHA51245af87019a132762fb2a48e580aafa05b9155e5ee0c885641aefd4efc84741d2cbbf17cace7640d61e2fd2598fac14ea34f6dc6ab0c0f829ab8d358fca506180
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5e91d87ed1f4a76b9289cab06052f1e97
SHA106878dd6664aaa1b1c2ec75571a09cf87a7b8b8e
SHA2566cde51d1643a525891daf5d4107eede2a94a40f510fd62da9579d361dcce4c3b
SHA512118736fbd478d7bf817c51e991ba580905c8ead47c0df1b2ec2f63162983e9e1422c2561ce8f61dece74f185ed2e2c4fd525c5170691f8f5afad36e77b555753
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5e8db935b8258081250c04a780051be4f
SHA159ead5e88df85f63f738fb49f48d4cb0806b69d6
SHA25685fe18ebd8144280ef4535d1f205872b2110c5cb471551943087137b9199be90
SHA512ef9abbf015a3d4795a270d5c810f46688561d574d018050ff542f06c557a2f7854718e62f0ac9028534bd4d4030e92cb1bbaebbcd70608987697b67d8213d661
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5c0786db7b86a39da59a80e16ab1c2958
SHA1cdcff50ea4c164c2384de71c0d38edb0b736f979
SHA256aa1723a0ea55d1549614754baace9acfafada89391e7bfaa26e15e2e71586282
SHA512fa35a7f35f0da812bb1cfc91feb9dc6166c601f96dbcefc623664e34a119b9a4b61490beb17df1b86e5c0a323d803ab66e8064c976d3d8a75199b52c40a382c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\a6ac749f-690e-4b73-b83d-3f973c7596c0
Filesize982B
MD58b1ca0e0838c8d16d48d2c11f082a056
SHA109188d9e5bdecad0148831a652c00dd7d776859b
SHA2562e6c64685b456db219f1815087bb5b10b5699597d4dc08c6eefe6b408981ac32
SHA51287c39eccfa353e7caeaee2e01dcf69b7df30bae42a9aa44f5782b1acfaa496c4ccad9fdc3fa80c03d5a962e4c81b2316f6eae82a4fbd9a6243a466ffe756c573
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\eb6b8aa6-79c9-4109-b4d2-9bd6e5de8654
Filesize659B
MD5088d1da5ea1b2fd65421170c9a07ad2a
SHA167bb59c2a6f4485206a737cda84c05b6f5d5c6ee
SHA2569403ca632d3240d0179b9c2a7cd82ea6af4d2b41d63c28fd8f9824d6ca475cd9
SHA512c943f73db121f402082a8730557aab7e5feef9435f77bc64721b3a2252d2f31d4067785c73af8837695c0fa65d1b55d7a83638e3b91dd21721fefe1c035716a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5a7bd70daa16b30aef00ee75f0f8411a0
SHA1afdba2bf0089a9271b05bcacdbd9fbef2ff3087c
SHA256c2123b0792fe784617a7d351ab0d708bec9009138c43a6192ec3b930f0c28c41
SHA512628da62eb509a8d5311f3257190356d0374d73d63a8b54b2f7523b415b24f6568826c7ab7157d6fc31ae6adb9a7d767d7361550e6510f97c3125c67e4e48bcc3
-
Filesize
13KB
MD5fda5eb57c1e7ddf8ffb3ee2806b0a157
SHA11425d714f12d3654f74b76493ff9cbe8bcaeabf0
SHA25642c203f4176bcf85e8eb56fb2ff53e6201f400fe832d81eeacea793641cbb104
SHA512df835db8d2758069adbb94bc34a0eed9a4853c50de8397b13418f52285ce8e26e8861cc04df1e6010e00e8d08bfdfa1fd128c1b7437c6a20d2b2ea2d64459706
-
Filesize
8KB
MD540308ccf341e8fa6d3842d7042e05e50
SHA131f0095f3b6b06197f912e975f90b31a5bfe24d6
SHA2563d137842616474208cc96a9e1849a3826aa49ffb99e65453aa620c599f6b444b
SHA512f3ef8597e4c162bee92f1ebec44db655a85f9173a672e0e2178c97237f3e945d3403923cdc52102aa38517aaa90e77fb1c3896acce40fe4a694e3a35216265ad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5aa17867febca8d5ddf53f417b3b9942a
SHA1b3319543f6ae7586b85bf6161bfaafeeaf58b5a3
SHA25671585170f59847f25faa643781535a94083c0ce133875752922b0469ee104c70
SHA5121de557cdad0a38b00e7162163da5479d469bb88eb7a0a2b88d5049d001246720c89a5cd1e7355f80bfd4e26fc2d2cf427c284375b13f3f03ec8392df1848d750