Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-07-2024 03:10
Static task
static1
Behavioral task
behavioral1
Sample
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe
Resource
win10v2004-20240709-en
General
-
Target
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe
-
Size
1.8MB
-
MD5
fb26e404f23d62125f6a4c9a0a62c9e6
-
SHA1
43d1f2fbb5f8fb0fbd8461741c93446cb08d51e3
-
SHA256
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
-
SHA512
82c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1
-
SSDEEP
49152:J0AWYmat25fnyPgzTmC/nQ6aZeCzSdKLNcfn7fYX:JVD+5fny4zaR6yj+DfYX
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeexplorti.exeexplorti.exeEBAAFCAFCB.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EBAAFCAFCB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
EBAAFCAFCB.exeexplorti.exee0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EBAAFCAFCB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EBAAFCAFCB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exeexplorti.exea19bf38dea.exe8dfe88c326.exeEBAAFCAFCB.exeexplorti.exeexplorti.exepid process 412 explorti.exe 2524 explorti.exe 3056 a19bf38dea.exe 4940 8dfe88c326.exe 2276 EBAAFCAFCB.exe 4612 explorti.exe 3100 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeEBAAFCAFCB.exeexplorti.exeexplorti.exee0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine EBAAFCAFCB.exe Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
a19bf38dea.exepid process 3056 a19bf38dea.exe 3056 a19bf38dea.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeexplorti.exeexplorti.exea19bf38dea.exeEBAAFCAFCB.exeexplorti.exeexplorti.exepid process 3824 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe 412 explorti.exe 2524 explorti.exe 3056 a19bf38dea.exe 3056 a19bf38dea.exe 2276 EBAAFCAFCB.exe 4612 explorti.exe 3100 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exedescription ioc process File created C:\Windows\Tasks\explorti.job e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exea19bf38dea.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a19bf38dea.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a19bf38dea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeexplorti.exeexplorti.exea19bf38dea.exeEBAAFCAFCB.exeexplorti.exeexplorti.exepid process 3824 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe 3824 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe 412 explorti.exe 412 explorti.exe 2524 explorti.exe 2524 explorti.exe 3056 a19bf38dea.exe 3056 a19bf38dea.exe 3056 a19bf38dea.exe 3056 a19bf38dea.exe 2276 EBAAFCAFCB.exe 2276 EBAAFCAFCB.exe 4612 explorti.exe 4612 explorti.exe 3100 explorti.exe 3100 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2120 firefox.exe Token: SeDebugPrivilege 2120 firefox.exe Token: SeDebugPrivilege 2120 firefox.exe Token: SeDebugPrivilege 2120 firefox.exe Token: SeDebugPrivilege 2120 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe8dfe88c326.exefirefox.exepid process 3824 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 4940 8dfe88c326.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 2120 firefox.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
8dfe88c326.exepid process 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe 4940 8dfe88c326.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
a19bf38dea.exefirefox.execmd.exepid process 3056 a19bf38dea.exe 2120 firefox.exe 1564 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exeexplorti.exe8dfe88c326.exefirefox.exefirefox.exedescription pid process target process PID 3824 wrote to memory of 412 3824 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe explorti.exe PID 3824 wrote to memory of 412 3824 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe explorti.exe PID 3824 wrote to memory of 412 3824 e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe explorti.exe PID 412 wrote to memory of 3056 412 explorti.exe a19bf38dea.exe PID 412 wrote to memory of 3056 412 explorti.exe a19bf38dea.exe PID 412 wrote to memory of 3056 412 explorti.exe a19bf38dea.exe PID 412 wrote to memory of 4940 412 explorti.exe 8dfe88c326.exe PID 412 wrote to memory of 4940 412 explorti.exe 8dfe88c326.exe PID 412 wrote to memory of 4940 412 explorti.exe 8dfe88c326.exe PID 4940 wrote to memory of 4748 4940 8dfe88c326.exe firefox.exe PID 4940 wrote to memory of 4748 4940 8dfe88c326.exe firefox.exe PID 4748 wrote to memory of 2120 4748 firefox.exe firefox.exe PID 4748 wrote to memory of 2120 4748 firefox.exe firefox.exe PID 4748 wrote to memory of 2120 4748 firefox.exe firefox.exe PID 4748 wrote to memory of 2120 4748 firefox.exe firefox.exe PID 4748 wrote to memory of 2120 4748 firefox.exe firefox.exe PID 4748 wrote to memory of 2120 4748 firefox.exe firefox.exe PID 4748 wrote to memory of 2120 4748 firefox.exe firefox.exe PID 4748 wrote to memory of 2120 4748 firefox.exe firefox.exe PID 4748 wrote to memory of 2120 4748 firefox.exe firefox.exe PID 4748 wrote to memory of 2120 4748 firefox.exe firefox.exe PID 4748 wrote to memory of 2120 4748 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe PID 2120 wrote to memory of 2880 2120 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe"C:\Users\Admin\AppData\Local\Temp\e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\1000006001\a19bf38dea.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\a19bf38dea.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBAAFCAFCB.exe"4⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\EBAAFCAFCB.exe"C:\Users\Admin\AppData\Local\Temp\EBAAFCAFCB.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBAFIDAECB.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\8dfe88c326.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 924 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ece89d6-1b50-4ba4-956e-f0d6cd685729} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" gpu6⤵PID:2880
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b7f029b-76d6-445d-92d4-f76c5ac8de7f} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" socket6⤵PID:3748
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2956 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3148 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35bb56bb-c197-47af-9bd4-444d76e71f56} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" tab6⤵PID:1156
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 2896 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d382a09a-7998-4e47-8b85-7f777325b851} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" tab6⤵PID:1372
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4684 -prefMapHandle 4604 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5222380-a57f-4002-8273-8de4d4554bf1} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" utility6⤵
- Checks processor information in registry
PID:1536 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 5456 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {610979af-2dca-41b4-a906-dd850cdd334f} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" tab6⤵PID:1760
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 4 -isForBrowser -prefsHandle 5740 -prefMapHandle 5736 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a3bd39e-2548-4419-a57c-727b0f0a21c3} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" tab6⤵PID:3136
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5868 -prefMapHandle 5876 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bbf5b7b-0ade-40e9-95d9-30ae85ff3de1} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" tab6⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4612
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD576132b713075794c82b4445157016ad5
SHA1fdf2aa11c39859f3d39ed905e264cb363e44bb57
SHA2567887777a0764baac7c04ad230b27b63f2b6e489a0025f8b0f86f7cc771f5509d
SHA5121f21ec32b71acbee83d241e1853e951c49ec365ff18e740e9d9c7a05d0dbee9f3388fb0bb402d15716fb8637fdd404aaa9ebff443d68e19aabfb5d40841d8c02
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\cache2\entries\558F8F9C33CCBA6CC64740164FBB23EBD5D2F029
Filesize13KB
MD5b59683cd54206496c5c04bd110da9825
SHA14936fb3d805bd1dcb869e52e4115e71a1d1d9446
SHA2565ed36de5280a20e520128b7e0f992447fe6737e978234e8bbef0d0eeef8726a5
SHA51249d6bac724b519a170c9b1471d91fdc4c4adade2f31aa358a7cd170b6f8e2e8c394f19b3bf786921e387d5e495839a7b2b52a3bb9a2aa876d7105636c90ce63e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5b31c1841e222bfa1b849ff83162a5336
SHA1e35f6e038d19e5a62cc3a2c3e2a7e9dd14bebf2d
SHA2567f53d7a8c339d06ba74f11d662604652bcf039f32b8abb605f002087cca01c0c
SHA512372e4cc5824cac6a2e9f35a9b58d389c020a4fc7a9927e332714676b07c423e85e8d3c9a5ed638179f22385fa180d744525ad9b1930e754104811c2994839f9a
-
Filesize
2.4MB
MD51552573045f153aa7269a30d3a1dd151
SHA1d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA5128301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD5fb26e404f23d62125f6a4c9a0a62c9e6
SHA143d1f2fbb5f8fb0fbd8461741c93446cb08d51e3
SHA256e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
SHA51282c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin
Filesize8KB
MD5a33fe7a82b17a9e4696d3ce5c7f02bc8
SHA1d7b30d9d6cad963f172681fd0a8f3e812c5e8a65
SHA256c6e7e9921e6162330e314956d91a187eaee866408c40ce159d90ce57bb968916
SHA51234ab5eaf6a27a39ceac1285552504ec3800f0579d08fc25d4ae3eff5d819a6fd94e8fc1ebf29e0682322bcaa17fe3454b475b9855cf6f59cd6444a7e45f8a147
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin
Filesize12KB
MD5b90f5a65d4ca2d76b82c4f01e0e4f484
SHA1a2bf739824b69bb400b82f4995ec341c8441a525
SHA256fab331d0bd0b1b808b9b5aec6419296e276a210bf92409f9905c66009b73149a
SHA512071ca736e5a94095ecc2cc05fcf9f7089387bc2c7f72cefdf4f1467576a471efb89e71933ed66b0ea3baf6f6661fefbfd6609eb3393f27e59d8eff4ea3cfbff1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5f3af70a9f1611e454da80a85ef80a55f
SHA176196f4f2a4fce7f04d4faa4e02d7bc25c8cce06
SHA25681f215e0a5ae00e205e21f20643e69915d71ff606f2abbd26b1a94a094eab480
SHA5127c2b84452f52c94f9957601ff57a5837bf80a15770dd28f9d504e891dfa48b9ebf89ffecb928e5c8921419c8c6d65dc7936a6b3e202d405352a13df414750a48
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD56169ad84128e8e9aaed4c6bbb219283f
SHA10c5956e1cdbbb0c8d71d6b4f0f6a9363111a59b4
SHA256142f4343b90735554f14dc5723cf714619317a50afb19a5828fc2d7afef41b06
SHA51286c54a7e9c9b4e2fc45121b759a354a9886f43274f23ca9cff03ef2ab4c7f2d27212014c890808636ece198d17a72a34c4284ab7990bd9268e5bfc240b3fc26d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5ac92d554bee0a18b19536f76ffdc30e6
SHA1a0dbbe8cb5ed12095304f9743b703b7ffebb24ae
SHA256d3b858184ac9f508f16c57e76c75f784c9760548ce0e58d98c3c3192ec88fdea
SHA51216a7f7ac76f7d71f739207acb6fc759ee67c67c6a1ac83b4b8215d9712e8f2513cc6820715cd7988b6aac6dc4b4128fd78198ea9045ebe31425068c60e753ae1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5fb91b8aafd27dff67efbee06ee010c9d
SHA17f0f71003c150d4d53ec96f0d5af1f615ab7aaa6
SHA2567c8826061462cfc3628ce520b9e8c9388eae54ba9d23629b720f940d60e1e3f6
SHA512e5c6bc3fc848329cb0e813270e1e428d4cee0fe49e37643d1427a51d850303cd5235e64b1ae7bc6868ad5fe50493e26904a433455cfa7c862343d2a1e74f78be
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\55720806-8297-4d95-b11b-1309703a1603
Filesize659B
MD590e549796e102593351c4c7b18b6ad79
SHA127ac65b64c4a4f47ee8e7cf6083bdffd762f60c3
SHA256e3ee738b391e614a12f41fcc9e7434d5b89b9409da90d1dccb3bac917f4633ae
SHA5127ad465e85176dd210fbb208ff998a20283255ee7abbf418a91f7313885c3a9df5cab51a97eca888fa2d1c6a11904106deac6eb6d756e7d8605c700712b7200b7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\bdb4268f-d96f-4629-a14f-53f605ca146d
Filesize982B
MD56c2d18f1bfcd87868436de70c19e2161
SHA1aa0d9adba6adde227454e2e847dd0a1392f0f0f6
SHA256437e2172cea46c43c376d72c08fc6bb8c2aa3a0127086a646a62381850c5bc72
SHA5124e822a66f1a44c181b265841422eb47a0781dbdbf6aec65626c5ae01d50a6197c8d5567709d523f267d1770deeedd906b4688ab880dc7629df1c9aaa38b5f499
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
8KB
MD5679e1104084c62c07a800731f050e876
SHA115f3991a2286a78520b598c41cec33a89ae998d6
SHA25640cc925b8fbd4815d12d2e16df51158f53411455b58da1f824b93aa52bbacc7c
SHA51239b3fb88ea9653fb2ec795846b6325c3d1d6bd267927ff2a8f9b522ecf2f1fec1b700c57342cefb16cfd209eb31577b2736e3f89ad63cd22738c26c8ed84cf8a
-
Filesize
13KB
MD5a05602a9baf06059c9888f71758fab12
SHA1e77aa0f249c11ceb21b5dcec9b79799b0b3a1e61
SHA256797be1802a160b3c8bd4efbb6f553b7f7a46766b89d1305789dc8077dd2e8c25
SHA5129c21f6b215cd1ca4f5c857ff9be1bb92104b1325254c8572b571f0b7836bd778d591cf798c07c744705730395b9b6ae9bf19726a04a6df1c099484f66da4da24
-
Filesize
10KB
MD5cf1f563ed396f3b1b43182669af10b93
SHA11f101724e103b7db020e58d03a2e105317a1161b
SHA25610c2666f5a56212c6533f917ecdd8e897fc2c152c8c735a9d7fa7b984abede3a
SHA51213a446acdeaacfbe0f47e52fdf8c3aebeb0c855a33a8af54a661edbfffd1c6a9f5642d40f7a25017f2fab467bfbfa8120bc04e316fed2d96c58b05efb1b9dc73
-
Filesize
8KB
MD52f956493fb350dae7a4bb7a021f2c6fd
SHA192a3be42c0d665b0a91d7d6a12c03d75354cc9bc
SHA25662d32c2239217b19d1169ac561eb6694597467c5d8e43e6b0c590cc4443817ae
SHA512b906d68d66c8e63156c19a20b5e347c9d099561d55fd9ded1697f58604cdbd1052df6c3a3e1cc6eeaca0512e3be1c19132ddbf9d77fd980b30c33f24c45bfb19
-
Filesize
8KB
MD50c3dc6a05b74a159b3a37a507ecc95ac
SHA1d077902dd06f2a6438cc1e72148425cb7e7d7d5c
SHA2563d31e94f4ccc323caa0f0603d4e10dabbf549e3516c6571843eea70dd9c5157e
SHA51296ebe161171ea4087cbb6837d747edde160e2faebdb73d346c9d2c95835750ea15b3acdad95a5faa2e7792d37e0de57a4a6b3d56fa6ddd2c7d4aadecd896953c