Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 03:10
Static task
static1
Behavioral task
behavioral1
Sample
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe
Resource
win10v2004-20240709-en
General
-
Target
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe
-
Size
1.8MB
-
MD5
fb26e404f23d62125f6a4c9a0a62c9e6
-
SHA1
43d1f2fbb5f8fb0fbd8461741c93446cb08d51e3
-
SHA256
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
-
SHA512
82c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1
-
SSDEEP
49152:J0AWYmat25fnyPgzTmC/nQ6aZeCzSdKLNcfn7fYX:JVD+5fny4zaR6yj+DfYX
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeexplorti.exeJKFHIIEHIE.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JKFHIIEHIE.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exee0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeJKFHIIEHIE.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JKFHIIEHIE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JKFHIIEHIE.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorti.exe65293a0bb5.execec5fcd6fe.execmd.exee0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 65293a0bb5.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation cec5fcd6fe.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.execec5fcd6fe.exe65293a0bb5.exeJKFHIIEHIE.exeexplorti.exeexplorti.exepid process 2568 explorti.exe 1616 cec5fcd6fe.exe 2332 65293a0bb5.exe 3336 JKFHIIEHIE.exe 2688 explorti.exe 1040 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeexplorti.exeJKFHIIEHIE.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine JKFHIIEHIE.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
cec5fcd6fe.exepid process 1616 cec5fcd6fe.exe 1616 cec5fcd6fe.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeexplorti.execec5fcd6fe.exeJKFHIIEHIE.exeexplorti.exeexplorti.exepid process 2028 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe 2568 explorti.exe 1616 cec5fcd6fe.exe 1616 cec5fcd6fe.exe 3336 JKFHIIEHIE.exe 2688 explorti.exe 1040 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exedescription ioc process File created C:\Windows\Tasks\explorti.job e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cec5fcd6fe.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cec5fcd6fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cec5fcd6fe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeexplorti.execec5fcd6fe.exeJKFHIIEHIE.exeexplorti.exeexplorti.exepid process 2028 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe 2028 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe 2568 explorti.exe 2568 explorti.exe 1616 cec5fcd6fe.exe 1616 cec5fcd6fe.exe 1616 cec5fcd6fe.exe 1616 cec5fcd6fe.exe 3336 JKFHIIEHIE.exe 3336 JKFHIIEHIE.exe 2688 explorti.exe 2688 explorti.exe 1040 explorti.exe 1040 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 840 firefox.exe Token: SeDebugPrivilege 840 firefox.exe Token: SeDebugPrivilege 840 firefox.exe Token: SeDebugPrivilege 840 firefox.exe Token: SeDebugPrivilege 840 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe65293a0bb5.exefirefox.exepid process 2028 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 2332 65293a0bb5.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
65293a0bb5.exefirefox.exepid process 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 2332 65293a0bb5.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 840 firefox.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe 2332 65293a0bb5.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
cec5fcd6fe.exefirefox.execmd.exepid process 1616 cec5fcd6fe.exe 840 firefox.exe 936 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeexplorti.exe65293a0bb5.exefirefox.exefirefox.exedescription pid process target process PID 2028 wrote to memory of 2568 2028 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe explorti.exe PID 2028 wrote to memory of 2568 2028 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe explorti.exe PID 2028 wrote to memory of 2568 2028 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe explorti.exe PID 2568 wrote to memory of 1616 2568 explorti.exe cec5fcd6fe.exe PID 2568 wrote to memory of 1616 2568 explorti.exe cec5fcd6fe.exe PID 2568 wrote to memory of 1616 2568 explorti.exe cec5fcd6fe.exe PID 2568 wrote to memory of 2332 2568 explorti.exe 65293a0bb5.exe PID 2568 wrote to memory of 2332 2568 explorti.exe 65293a0bb5.exe PID 2568 wrote to memory of 2332 2568 explorti.exe 65293a0bb5.exe PID 2332 wrote to memory of 5004 2332 65293a0bb5.exe firefox.exe PID 2332 wrote to memory of 5004 2332 65293a0bb5.exe firefox.exe PID 5004 wrote to memory of 840 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 840 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 840 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 840 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 840 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 840 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 840 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 840 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 840 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 840 5004 firefox.exe firefox.exe PID 5004 wrote to memory of 840 5004 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe PID 840 wrote to memory of 4608 840 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe"C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\cec5fcd6fe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKFHIIEHIE.exe"4⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\JKFHIIEHIE.exe"C:\Users\Admin\AppData\Local\Temp\JKFHIIEHIE.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHIJJEGDBF.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:936 -
C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\65293a0bb5.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c5ef2af-20c3-41a2-8032-1eeddc77ba3a} 840 "\\.\pipe\gecko-crash-server-pipe.840" gpu6⤵PID:4608
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2316 -prefMapHandle 2324 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68a87c7f-f8cb-4da4-9c5d-bd1c9ff2309a} 840 "\\.\pipe\gecko-crash-server-pipe.840" socket6⤵PID:2768
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2820 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3056 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc809f1f-b2e7-46a8-a5e4-5413eddcd744} 840 "\\.\pipe\gecko-crash-server-pipe.840" tab6⤵PID:2968
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2756 -childID 2 -isForBrowser -prefsHandle 3936 -prefMapHandle 3932 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3d46038-dde9-4a00-8023-978cb753dda9} 840 "\\.\pipe\gecko-crash-server-pipe.840" tab6⤵PID:4084
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4760 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06b69595-d71d-4535-b038-5174a8c293f5} 840 "\\.\pipe\gecko-crash-server-pipe.840" utility6⤵
- Checks processor information in registry
PID:1908 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5372 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80afb1a7-9fa3-4139-8f3d-5bd3aeedf223} 840 "\\.\pipe\gecko-crash-server-pipe.840" tab6⤵PID:5864
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 4 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e33d6255-dbed-4a8d-8146-57dc7e140bc8} 840 "\\.\pipe\gecko-crash-server-pipe.840" tab6⤵PID:5892
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5632 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1135f91-2aab-4970-9ed7-d62ff9299543} 840 "\\.\pipe\gecko-crash-server-pipe.840" tab6⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2688
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD58af10e7161db66cefa4f231989e8bcf8
SHA1a3c30c20166313d48e67d73372125ea75224de9d
SHA2564a93ca1041e7dc4fa8d6e44500fbbb9af8cce65ea1a5a7fbd5fb8f2c5a8b1203
SHA512269ab8da3ae0a519a297ae220a8c8e6868fa4fa6e3842e83883efd7450d3c5dca56a59c8f3d3bdba4570630c3cc467452afa928ae2d90738a2b575ffe5c37e4e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5fb209dfb85879e476883fe587f0d9695
SHA1903bf4fc8f6661885031887cd5fd76228be447ed
SHA25674a42fbbd36f16078eb6aa6b28bad4379aba5a4c927661fe92f0d5bba2a84a68
SHA512bd877f275c942b315bc704e78cfed3d56dd490de77b7f6b5b104910cef9169a633164c5860053e6403422bcebe725d3c9e2c8ab454f2a51cd3cd37973f32d3dd
-
Filesize
2.4MB
MD51552573045f153aa7269a30d3a1dd151
SHA1d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA5128301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD5fb26e404f23d62125f6a4c9a0a62c9e6
SHA143d1f2fbb5f8fb0fbd8461741c93446cb08d51e3
SHA256e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
SHA51282c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin
Filesize12KB
MD59744909ca94b93676d3a39e0942c4630
SHA1b1ce283b978e831e56c9d37a9633701d65371437
SHA256184aceeb475dbae39d16345304a30901428d09b10eb67fa17c9f8b00551c8775
SHA512c7a7e13ab0950bb076430849b1b9062ab97ae6e768ba0805e4817a085453289f6a7cab09518eb26d2eb50e2e6a36a980cf9831bceb16e7c6e90223b93dd90d33
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin
Filesize12KB
MD50096e87fa1869d8c6c34286e13764041
SHA1ecb192d49c299593062848a8b8171a75231de67b
SHA256b782ca5544f959597ee808db0c90dd5f0313964d4a7305bf75907a70f296e92f
SHA512529d14a4d1a82253f4bf22035afa19fdd17aa88da2d082ae4c3b0df05472a53261fe998e696dd0c81df1205de5fe7d39e3828c418def90f3f22059b037906b79
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD59e8bcbcd1eebe611acf339d4b1cfa36a
SHA1add6f0494764416bd5485da583455340c5dbda98
SHA2561f979b0ae921ca51d5d20878c8d26c3dbe56f3d28a186ddc37f9377df7989964
SHA5124a9142a84d16be9947a60cde208aeeef028bd8d7518a38a9bfff1ab314edf0db035cb1367fc868b33f171abcf0af310427f1abe756b9ad9f71760dbd7ed7ad93
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5e9bd8a7f4aad41c3786fe31d8c891152
SHA1d20a88cd36d3b1e3ae940c7453f97b64ac45a006
SHA2563d27ec7d8727873552690aedee2bcde0726b3eb43f5affb49812d46d16de1207
SHA512859a5dd3af67e73ed046168eed5d7566c4ee654ff7529c040a85c44cb5c8ae65cda789242256fe0d3f249cf7052fb63603dc2c5d31159e9ffea859aa29b99cad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD504e3e59e973ae5645ff4a4889cd48642
SHA18f78fb7025874ef4e422b4c98a71aa5e4b56bfa2
SHA256126576ff29d414743913df06c6df74d9279f80c3f845fdf4a3c8ae9d892f0361
SHA5123e61bb08628a38e359e54e3d3823207eee27123e24d38f817d2f4f7600ce605c732225a6c8c73a982b8f667e845047ef5e01a263d111dc5fe2cd2b761f034167
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\59111c11-92af-4e3d-950c-c8316b425522
Filesize982B
MD51c962f72cdd1d307669a3a5d5bd53fe1
SHA15553c188d838f90262ce121c4417acb4dd6127ce
SHA2569990baffa169d59b4ebb47c57fd226bb0c8732fd84695a69197964f564dfd517
SHA512aed87b172a918208868efca50cd15dfb2980a361e7ebabf14aff333b3e180b55c64c04e9b0aceca8b8450eecc608b890496754358a9407fee5cc13202fcf6bb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\b24007f0-b234-4d67-9c8b-110999955b62
Filesize659B
MD5c8dc05fcc521a1eeb682d2fc13dc9d09
SHA1f3eaf07f5c8a73989ade78f1578ed2171f00bce9
SHA256a9355821659c753481cebbfb5ea97643093a73e445497016ff1c6f10ba64c9b0
SHA512066b2f6b52c57c3b456dd11c25d1e103782df2723cf025f760407f04b51d5667e6d5db64491317769fc4342e9dd1d0213ffb8d4ceddbc6e0d021aa57f0034078
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD5369b898fa7d79941e5590ade83d47d71
SHA19d0146d1c0210e3688bb442ac3da455557770b61
SHA256b77529455b46d0d12ad13655d99b639d0286bbf7ef67326a04b365c86e73cc44
SHA51268938d105234d7b6c07290b289e2ca600bb5d9ac991826fc58da76ea3ad9e6e536b8d9f4cb19854075ed624198017958793ce4b299ee2903379ff29f789562ae
-
Filesize
10KB
MD53128be3dd927feb42ea42b02b95916e2
SHA172446b589f2f7e5438a3baa6c548b9e0264fcf48
SHA2561f6eca32d86c7bc10096825f1b8c2e1feaecb99e9e03c9b7be1d6ca85f52e01b
SHA51209feb14369918641a221870c1575db839071ae27a03af53ae2b8f804080ae327fff050d28940b53cb7d794ea8ec8bc4f9d1ad9253ea9bdaf7c3a0195fe8f8eaa
-
Filesize
13KB
MD531030a2e32d479d0e3f8cd8f5c9600b7
SHA1ecddbf47d0c5a9a7953dd73cf19b0f3360211e42
SHA25650e760d68bea699a8821d26e6ff2f88d46cb6ab91d7b77b7bd0103719b9addd3
SHA51285df0ce194d4c720f15cff3d6a0ed9e84dfe80791183a07c0e91d60bbc0c7d6d85fd59d17c2d76655f7d85a8a13de758becd512c1472c61e31999c5205412c48
-
Filesize
8KB
MD5a49e8417c52a8d141b8fbe799efc2e87
SHA12faf0923f2e8d70248a030d77e58832728dc7315
SHA25693e57f87593efdc3f1e4627a404168be9182a86634b6ac50577b4f02ef686d9b
SHA512d889bf61fa408a88d4ea853ca80d9de4c2591fee451e32c05a013ba6ae0b749e5fb2a2b62810a406571b6b32b1fe5d129f64ae9ebcdb1dcc5927cd99c30fb1ca