Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe
Resource
win7-20240705-en
General
-
Target
c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe
-
Size
2.4MB
-
MD5
d342b0b1abfb52f8238f15947684c901
-
SHA1
822148d3b2b2663c25b865a1f98516095c5e01b0
-
SHA256
c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404
-
SHA512
e6558c4cc35d8b1784602695a7febec0aef5c9b6fba90fe4a90a8da27592678da6f61655770f35fc425c3de1d970576117982cffb12a9f9d1942daf7b32e4f75
-
SSDEEP
49152:Y12qH4aaB9/JQGfQpUhQ2ZH0VH4QWcS56/DxIqzsWqPjuZ:Y8qYaaz/JQjUhQ2Sass6rTqbuZ
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeexplorti.exeAFCAAEGDBK.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AFCAAEGDBK.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeAFCAAEGDBK.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AFCAAEGDBK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AFCAAEGDBK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.execmd.exeAFCAAEGDBK.exeexplorti.exe418bf12b6c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation AFCAAEGDBK.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 418bf12b6c.exe -
Executes dropped EXE 6 IoCs
Processes:
AFCAAEGDBK.exeexplorti.exebf10b6b83a.exe418bf12b6c.exeexplorti.exeexplorti.exepid process 4852 AFCAAEGDBK.exe 3308 explorti.exe 3964 bf10b6b83a.exe 4224 418bf12b6c.exe 3860 explorti.exe 324 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
AFCAAEGDBK.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine AFCAAEGDBK.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exepid process 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exeAFCAAEGDBK.exeexplorti.exebf10b6b83a.exeexplorti.exeexplorti.exepid process 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe 4852 AFCAAEGDBK.exe 3308 explorti.exe 3964 bf10b6b83a.exe 3860 explorti.exe 324 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
AFCAAEGDBK.exedescription ioc process File created C:\Windows\Tasks\explorti.job AFCAAEGDBK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exec11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exeAFCAAEGDBK.exeexplorti.exeexplorti.exeexplorti.exepid process 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe 4852 AFCAAEGDBK.exe 4852 AFCAAEGDBK.exe 3308 explorti.exe 3308 explorti.exe 3860 explorti.exe 3860 explorti.exe 324 explorti.exe 324 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 848 firefox.exe Token: SeDebugPrivilege 848 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
AFCAAEGDBK.exe418bf12b6c.exefirefox.exepid process 4852 AFCAAEGDBK.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
418bf12b6c.exefirefox.exepid process 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 848 firefox.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe 4224 418bf12b6c.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.execmd.exebf10b6b83a.exefirefox.exepid process 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe 4028 cmd.exe 3964 bf10b6b83a.exe 848 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.execmd.exeAFCAAEGDBK.exeexplorti.exe418bf12b6c.exefirefox.exefirefox.exedescription pid process target process PID 1548 wrote to memory of 2828 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe cmd.exe PID 1548 wrote to memory of 2828 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe cmd.exe PID 1548 wrote to memory of 2828 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe cmd.exe PID 1548 wrote to memory of 4028 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe cmd.exe PID 1548 wrote to memory of 4028 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe cmd.exe PID 1548 wrote to memory of 4028 1548 c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe cmd.exe PID 2828 wrote to memory of 4852 2828 cmd.exe AFCAAEGDBK.exe PID 2828 wrote to memory of 4852 2828 cmd.exe AFCAAEGDBK.exe PID 2828 wrote to memory of 4852 2828 cmd.exe AFCAAEGDBK.exe PID 4852 wrote to memory of 3308 4852 AFCAAEGDBK.exe explorti.exe PID 4852 wrote to memory of 3308 4852 AFCAAEGDBK.exe explorti.exe PID 4852 wrote to memory of 3308 4852 AFCAAEGDBK.exe explorti.exe PID 3308 wrote to memory of 3964 3308 explorti.exe bf10b6b83a.exe PID 3308 wrote to memory of 3964 3308 explorti.exe bf10b6b83a.exe PID 3308 wrote to memory of 3964 3308 explorti.exe bf10b6b83a.exe PID 3308 wrote to memory of 4224 3308 explorti.exe 418bf12b6c.exe PID 3308 wrote to memory of 4224 3308 explorti.exe 418bf12b6c.exe PID 3308 wrote to memory of 4224 3308 explorti.exe 418bf12b6c.exe PID 4224 wrote to memory of 1928 4224 418bf12b6c.exe firefox.exe PID 4224 wrote to memory of 1928 4224 418bf12b6c.exe firefox.exe PID 1928 wrote to memory of 848 1928 firefox.exe firefox.exe PID 1928 wrote to memory of 848 1928 firefox.exe firefox.exe PID 1928 wrote to memory of 848 1928 firefox.exe firefox.exe PID 1928 wrote to memory of 848 1928 firefox.exe firefox.exe PID 1928 wrote to memory of 848 1928 firefox.exe firefox.exe PID 1928 wrote to memory of 848 1928 firefox.exe firefox.exe PID 1928 wrote to memory of 848 1928 firefox.exe firefox.exe PID 1928 wrote to memory of 848 1928 firefox.exe firefox.exe PID 1928 wrote to memory of 848 1928 firefox.exe firefox.exe PID 1928 wrote to memory of 848 1928 firefox.exe firefox.exe PID 1928 wrote to memory of 848 1928 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe PID 848 wrote to memory of 5028 848 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe"C:\Users\Admin\AppData\Local\Temp\c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe"C:\Users\Admin\AppData\Local\Temp\AFCAAEGDBK.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\1000006001\bf10b6b83a.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\bf10b6b83a.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\418bf12b6c.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4845c724-07e3-4186-9e2a-8cb818ca66a8} 848 "\\.\pipe\gecko-crash-server-pipe.848" gpu8⤵PID:5028
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e47bb70-572b-40d8-9c10-f0fb85e46838} 848 "\\.\pipe\gecko-crash-server-pipe.848" socket8⤵PID:1884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3204 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3264 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07320f9d-0e21-4435-b37a-7c458e2ecd36} 848 "\\.\pipe\gecko-crash-server-pipe.848" tab8⤵PID:4232
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4176 -childID 2 -isForBrowser -prefsHandle 4168 -prefMapHandle 4164 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0e0c2b3-9979-42e3-9c5d-c6d5a875d519} 848 "\\.\pipe\gecko-crash-server-pipe.848" tab8⤵PID:2284
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4848 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4800 -prefsLen 31179 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f29b44bd-655d-49d6-ba7f-9cd576dd2202} 848 "\\.\pipe\gecko-crash-server-pipe.848" utility8⤵
- Checks processor information in registry
PID:1096 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e26d293a-da81-405e-8110-24c8aebb02f9} 848 "\\.\pipe\gecko-crash-server-pipe.848" tab8⤵PID:1352
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05f679c6-683a-47f2-a96e-d075fcef74bc} 848 "\\.\pipe\gecko-crash-server-pipe.848" tab8⤵PID:3408
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 5 -isForBrowser -prefsHandle 5768 -prefMapHandle 5764 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b69a660-5be5-4a43-99e6-bb101d17c5d2} 848 "\\.\pipe\gecko-crash-server-pipe.848" tab8⤵PID:228
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHCGIJDHDG.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4028
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3860
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\activity-stream.discovery_stream.json.tmp
Filesize21KB
MD58fdfe14e773c716561337419debffcd9
SHA189c6cd64a3b161c4b1f84d087058c9d69bc7f9cc
SHA256bbd2133f0091c26001993310745dc1f08455ce295b17f36f0885163e4eee21f5
SHA512e97c79ac8bd362d954edddc8845ec9c94d3bc42d62c22a332e04f5cb61f0ae87b9125f82f6908aa0e789f5334f7825308a80d0df6a641da4e998ddeda3eb1984
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD570241e4c4bd63f08bfb8b63720bab020
SHA107759a43a5535d7b05591aa5985deeba9b254fdb
SHA2560d974960962236fe3c1c2068df4d15273dd4d48daa3f84442401703d42af364b
SHA512a55dd8c19488a2b886e8a677993d24e3c60daaf7a76d7c1bbf3bd7d1d18773eaeb7c2ddd7623afbe3612d36fda90943513ad4d54321a903ab87f0fac41bfba71
-
Filesize
2.4MB
MD51552573045f153aa7269a30d3a1dd151
SHA1d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA5128301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.9MB
MD5f904f4e23035a9535b504569ffff9aba
SHA1694fdfda0919c7d169e1cbde465d8707e80d9a37
SHA256eeb995d1617196c79fe986db9a93d7e548ac86228fc3d8e0988355ddb7f10d93
SHA512994a9b3630b6afba69ab9e691bdd27ca05defd0de328dbb82256bd1613554e8270948a90db4aa54427364b9bb1210f4bd0fc8ad07d75e150506a560b5c5508ce
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\AlternateServices.bin
Filesize12KB
MD582887a9ae44e3dbd5dce854b5b8cf7de
SHA19d3d83a6504cccf40a63c3757893c322ed9c8967
SHA256a8a41a0eda678721f0b2c96cb3b9dc8c10ebea307fb835154fb9015b77ee678b
SHA512491c4c8ce756705bf6b6c7273517b0207d980ea8ae8e3d58700276be4890979a0ec7146e87784be66153c58ac51885f14236c1d9360e2c8c9754d59df25d0e85
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD576c6c0d02c9e8ed378f6c592c006c47e
SHA172eac07e5d8a7a5d091920fd0c9ea5779d5ee67c
SHA2560ab381965c32ae9e637a3f8af7cedc7115c8b62e6daa1b52b6fb7ff0865d41c2
SHA51272f61369264f3b4f38e1c0869caeaf3381d30b633339630a18862d0a0d82a7ff437a7aec7b20c041362c2cc5959e1c77b8fca835c48266120439b58bc0616719
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5ec34bd4678322724b6ce26889ef7a34e
SHA13173d55475bef4af957e39aaf899433c53bcd4b7
SHA256db3e8c317982985158a26e36743c2bb059c5054f67dd69bf59a0436049d39352
SHA51239414934cbdee53b204d2365aeacfbb9ee79369eb966b157a8dff37767830ce08d7120b8269281f257c5956343eb6228373282374af48d79ad365a4c810c4bd5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\0df89336-7faa-4a43-962c-c13f91908058
Filesize982B
MD58e9c8b0beb48c0cceabf3db487dd145d
SHA1efb3c2364e35953cf52511c6927e8309c76ece68
SHA25660cb647ac4100e2d5e7bad7e398c2cf6624c4acf7f9d83c50d4ad667efed9550
SHA512d1b972894651f965836888c90a39b9bbdc2a0c62675c4dc35dc5b6677ecb5cf6a458515380cfee4106c711cd8902d0896f532b5512d47affd47289172aa3670b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\2c21bf7b-7daf-44bf-9bb5-52226ea79ded
Filesize659B
MD5851bac52228fb362cd6592d3e0001ea4
SHA1df02c61d3e0796c19bed5535125fd52544fa6267
SHA2566e33a28704da844fe752dde0a0e600018651ef7bf66d6b2c6e86f59ff5c1b19c
SHA5122458c838ecd283b66707f331ffa6aa614cb200f3cbc60cc31c9c0bdf3b468f44e86324e1f68f725f4894105573cfe2ce8abd71fc67810f2fd3a3ce4f6ccfd66f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
9KB
MD5146060897ca3518375b5cdaec9ca4f2a
SHA153b9bc94c14187e6d59543f845c315f374e4f299
SHA256827b2bf6262215abb6557f8226048723166a59b6388b3ab3ac714d6a2de6be8e
SHA5128dfcbead8e44fbcc82e816698c1ff15c0dd7303b1a02efba1c0803c3b73dd8aa7b9a7fca835322ada1b39826436ece89789ea12ef68cd89a2111d393b56b6ca9
-
Filesize
8KB
MD5731575fffeb8caa91be30869e8982a69
SHA189bf2295fe7f50c67dbd8c69a1f6ef210a861ed6
SHA256e62bda1be1e4a98d4cf0a73af0aef10eb6a4370b4625e802335438f80c0ed9cd
SHA512df377326c4290e59ba1a5c092f767d0ebc22ae76ba4728226cbc8e92decdd8f83590583452b73ec9ee7a157ca07fa3ac7ef48b6a1861e6938f5b48a4602aea7e
-
Filesize
8KB
MD5438d8000581e26b23018a1d4a4ace094
SHA1779a1ef2667a5d7771256d2fc4ed46ac854d1c36
SHA256c3e5a175d3d9d289cea698883611a4a980c52033cf0c3c757044d95afa8f357d
SHA51215cae37951c0613f778d04ecfa8264d4e183ef1b956c9801715b52b33910b30a32bf506ae63c2f3e3d8925c0f0f257df302bca5e1603417b0c2d8f9a8cccde79
-
Filesize
8KB
MD5a5e06eb737f36a3071c6742a6d927d92
SHA15454fc249660b0dcda259e26941e128c25ae6386
SHA256f108d799141d58571fb7c4c4ac61a6a0c13822941ef1829bbd4460c6c0ecf6cf
SHA512eca78243532fe90fe89e23015e7b94d7aed7b489056858f9b39492fbb98397e9283555c02045643732f19f30030ccc56d102808f96f777dfb798ea86bf89ab38
-
Filesize
13KB
MD5562ee5d91829881708bb5385de1af17f
SHA18b95dd308eedc92d5bca90c81b501fd7a50f348f
SHA256d2b888470c5ab035514b455a2cd4363e653070ee365df585662e1be4ae17dd92
SHA5126d3516f7a2b1c80e428df70a1a01ba545a58155be87f487bec9d3645613408f4dc11459a0a840744b53f47ba491ebcef76345136dba13477f41f25cdf51ece02
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5b432b8bafb062421e6de55ad0c626b1c
SHA1e99ee02b1d5888fbcbb296a01c34148d866c10e7
SHA2569d37c72c4e91d8973fee04ecb6ccd1e0cc68b1d055f016256edd0c21734f183a
SHA512f61d151ddba2ec6cfb1acf56bd2eaa12dad43b629bd703c04c1b1615de3d8b9371931493087f36d4fdc84f6f307109f6a3526737fe297b47ae59ce32964b69dd