Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 03:27
Static task
static1
Behavioral task
behavioral1
Sample
dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe
Resource
win10v2004-20240709-en
General
-
Target
dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe
-
Size
2.4MB
-
MD5
77e2f975608c88144f09c2183217adff
-
SHA1
d54426b5072ad1b974492836fc2ddee0bc6f2747
-
SHA256
dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
-
SHA512
ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64
-
SSDEEP
49152:2XLqMXAi8oVUaWDYlK3lgsCC7I1ecAX8HCPeLkPHlgz:2XvAi8o1emKVXCC7I1ebX8HCPeqH
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
DHIJEHJDHJ.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DHIJEHJDHJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DHIJEHJDHJ.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DHIJEHJDHJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DHIJEHJDHJ.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DHIJEHJDHJ.exeexplorti.exe816bf80ab7.exedde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation DHIJEHJDHJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 816bf80ab7.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
Processes:
DHIJEHJDHJ.exeexplorti.exe614bf1e4f4.exe816bf80ab7.exeexplorti.exeexplorti.exepid process 2692 DHIJEHJDHJ.exe 2396 explorti.exe 4968 614bf1e4f4.exe 1980 816bf80ab7.exe 1520 explorti.exe 588 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
DHIJEHJDHJ.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine DHIJEHJDHJ.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exepid process 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exeDHIJEHJDHJ.exeexplorti.exe614bf1e4f4.exeexplorti.exeexplorti.exepid process 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe 2692 DHIJEHJDHJ.exe 2396 explorti.exe 4968 614bf1e4f4.exe 4968 614bf1e4f4.exe 1520 explorti.exe 588 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
DHIJEHJDHJ.exedescription ioc process File created C:\Windows\Tasks\explorti.job DHIJEHJDHJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exeDHIJEHJDHJ.exeexplorti.exeexplorti.exeexplorti.exepid process 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe 2692 DHIJEHJDHJ.exe 2692 DHIJEHJDHJ.exe 2396 explorti.exe 2396 explorti.exe 1520 explorti.exe 1520 explorti.exe 588 explorti.exe 588 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1580 firefox.exe Token: SeDebugPrivilege 1580 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
DHIJEHJDHJ.exe816bf80ab7.exefirefox.exepid process 2692 DHIJEHJDHJ.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1980 816bf80ab7.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
816bf80ab7.exefirefox.exepid process 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1980 816bf80ab7.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1580 firefox.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe 1980 816bf80ab7.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.execmd.exe614bf1e4f4.exefirefox.exepid process 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe 3536 cmd.exe 4968 614bf1e4f4.exe 1580 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.execmd.exeDHIJEHJDHJ.exeexplorti.exe816bf80ab7.exefirefox.exefirefox.exedescription pid process target process PID 5104 wrote to memory of 2664 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe cmd.exe PID 5104 wrote to memory of 2664 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe cmd.exe PID 5104 wrote to memory of 2664 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe cmd.exe PID 5104 wrote to memory of 3536 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe cmd.exe PID 5104 wrote to memory of 3536 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe cmd.exe PID 5104 wrote to memory of 3536 5104 dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe cmd.exe PID 2664 wrote to memory of 2692 2664 cmd.exe DHIJEHJDHJ.exe PID 2664 wrote to memory of 2692 2664 cmd.exe DHIJEHJDHJ.exe PID 2664 wrote to memory of 2692 2664 cmd.exe DHIJEHJDHJ.exe PID 2692 wrote to memory of 2396 2692 DHIJEHJDHJ.exe explorti.exe PID 2692 wrote to memory of 2396 2692 DHIJEHJDHJ.exe explorti.exe PID 2692 wrote to memory of 2396 2692 DHIJEHJDHJ.exe explorti.exe PID 2396 wrote to memory of 4968 2396 explorti.exe 614bf1e4f4.exe PID 2396 wrote to memory of 4968 2396 explorti.exe 614bf1e4f4.exe PID 2396 wrote to memory of 4968 2396 explorti.exe 614bf1e4f4.exe PID 2396 wrote to memory of 1980 2396 explorti.exe 816bf80ab7.exe PID 2396 wrote to memory of 1980 2396 explorti.exe 816bf80ab7.exe PID 2396 wrote to memory of 1980 2396 explorti.exe 816bf80ab7.exe PID 1980 wrote to memory of 3188 1980 816bf80ab7.exe firefox.exe PID 1980 wrote to memory of 3188 1980 816bf80ab7.exe firefox.exe PID 3188 wrote to memory of 1580 3188 firefox.exe firefox.exe PID 3188 wrote to memory of 1580 3188 firefox.exe firefox.exe PID 3188 wrote to memory of 1580 3188 firefox.exe firefox.exe PID 3188 wrote to memory of 1580 3188 firefox.exe firefox.exe PID 3188 wrote to memory of 1580 3188 firefox.exe firefox.exe PID 3188 wrote to memory of 1580 3188 firefox.exe firefox.exe PID 3188 wrote to memory of 1580 3188 firefox.exe firefox.exe PID 3188 wrote to memory of 1580 3188 firefox.exe firefox.exe PID 3188 wrote to memory of 1580 3188 firefox.exe firefox.exe PID 3188 wrote to memory of 1580 3188 firefox.exe firefox.exe PID 3188 wrote to memory of 1580 3188 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe PID 1580 wrote to memory of 3564 1580 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe"C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe"C:\Users\Admin\AppData\Local\Temp\DHIJEHJDHJ.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\1000006001\614bf1e4f4.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\614bf1e4f4.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\816bf80ab7.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1928 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {126e670c-64b9-4fcf-b9e8-5cb3d98c33a7} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" gpu8⤵PID:3564
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e6c0990-ada0-4026-bf7b-c2f970f2d6bf} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" socket8⤵PID:3756
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3024 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ba307c3-b377-4b91-bb45-0dae3bf1b729} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab8⤵PID:1244
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12043376-dc6c-4cc2-8fe6-6d6c7cb3c237} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab8⤵PID:1748
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4688 -prefMapHandle 4684 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {933a9f8a-d8d3-47b3-b036-e044373cb19b} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" utility8⤵
- Checks processor information in registry
PID:1600 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5544 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a1ffa12-c7c4-4574-a8c0-a378b23c460c} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab8⤵PID:5880
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 4 -isForBrowser -prefsHandle 5764 -prefMapHandle 5760 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5573a0e0-e7de-4689-b0df-a9bde9632633} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab8⤵PID:5892
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 5 -isForBrowser -prefsHandle 5956 -prefMapHandle 5952 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a72f2e1-91af-449f-8e7a-f35c99d3c708} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab8⤵PID:5904
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBAFHCBFHD.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3536
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1520
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3mrom4gn.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD592d5b5a0fa43614f0d6e0a932ea12651
SHA1c779c724eca982a6dcb92001f26c024057ea9333
SHA256292c9980f77e8df4540f1441e9ca37f113845d7fef52d1caac078003798fc647
SHA512013b2c6c3f75b4313fa7b5a10396445e4e28f6942bfab4ababd3f4753696e8c40baabaa15d3fa82d7ea180c827a8ce44e4853a7cffbcde08b22dced07970951b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3mrom4gn.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD534b4cd3443bff432bdf3aca3eb5bafe6
SHA15c8a0dd5632a8f09a16068124caea95238aea7c6
SHA256674b7b5be5bc5b02488ed06c41c70afb68957160ed00257469e15181fc68dc49
SHA5120902b8a5306ada3c35e8cd3ff2adaccf12c30dc3ad869aaf27944271cc5d5cfa9dbcc242c867367a52118c8cda6a93813b34556f01cde543d74a5db830804df7
-
Filesize
2.4MB
MD577e2f975608c88144f09c2183217adff
SHA1d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD5fb26e404f23d62125f6a4c9a0a62c9e6
SHA143d1f2fbb5f8fb0fbd8461741c93446cb08d51e3
SHA256e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c
SHA51282c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\AlternateServices.bin
Filesize12KB
MD5566f24e4f3cf36af3d6ff4e9cbe266c8
SHA1b3e3967b328bbf93511e1dac075de3d57dafe6b5
SHA256869d85e7bdeceabebc4a213d8f42eeff3f0e3364d37fe56e9039f3335ca194e7
SHA5127741183938d2c568b41b11d845337290c453afa91089fc0b1b9359a1c00122846cbf8f6d361fa886631feafd37ab3d2c5c508082aadb90cdcf407ea73c8f19d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD547526830a8cae2ed03e8aa43a6dd560f
SHA14b9e64e09a3811694d02176186c91851d43ef2c7
SHA256aa55b4ba61fac99121ad82e9ca6ce18c216ea0017aaf6910d119a7e580dbc190
SHA512fc80f1b3124ea4bcfe7f2e859e1e8bfc56d6d4ec44150a11530399bbc42dc565779e5b07995df7389b57c3694f5d076a82b449f8908319e6976336762836a94d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5e7c4778edc553e70212181b61acdc1ba
SHA19b610c86284372b27231dbc356ebc850c0ef78d6
SHA256d78545068d7a28a129ed231f5751dd65fc50d4f80aac174048e47227630d6576
SHA51237222123baf3ba9402f22b0df43fa0e37126b74815d42c616fecb7a49eb53a6d22e29df2bad7f7d4f0c538020ae51c51e7ebc92593cbb6c6390ac54ee94d678e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD59c6c3b9f3bae9f23d145ab2f9670545d
SHA19a34e867ee5b6f6722b2bb7f6159fe050db4ac5e
SHA256ff465df655b42625baecc03b9d00e1b68bc032bca49bcb815dd8459b3484e1a3
SHA512aae0acd3b8e4dfb9d980ad697a9c462a5d8048842f38b43d88daaa8d01e189c004cb394932940d6ac1c6ab7eaead2a94595edd405f113ef900b79e8ed578acc8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5561f264091adef9778c69da3a7ff453a
SHA197875f96a89e415394276091a4bcabd04c06b9da
SHA256e1b964b5bd55fba317a0f44de80b34dde544f4ed6ed510f329696ee378b51994
SHA512c1cdd84ebd6a402e2ca4e19a10623288bb7f925c256d1956c89ea8cc9ca48ceaf1fa2f42fe00af61e51a79e26876837dad6f32898fa8593bd2109e346947f7e5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\a31c767d-a3e4-4cf0-b208-ac7e02c474fd
Filesize982B
MD55f063bc120ac65d2903d1b0edd28c7b5
SHA1d682b50e17546323ac6b0097e06d11449bde6517
SHA256eba58b2def4849318803b15eaa0e4f08921f028f03d41bad340002eb5a0460e4
SHA51289e97dd46d857c6aa24ebc8d7d2718d8655773840d96cdb5756282d61f5841177f1fad16d50e2893f9926050b65705619e432876f5cb2cce24440bdeda9e8f0f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\cdd95fe1-3af0-4a87-af33-30296e8b19b6
Filesize659B
MD52ff17960645285537488cde70951d2a8
SHA1d0c92ffbdc7d1d0f4c0da41cdd7b2052b3402466
SHA256445d57f0afb8d20bc82687cf6b0830b89d00cf53df840ef5d341d7d9bd00f2fa
SHA5124ed616a76f2bc3bb851e8bb397926e6de10f8d0cd6a355a37eef320e0fdeef6619299fa756146944e0ad960f82762114436efacdab8cbd472218739ba425d650
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD558badfe3b1bf42e94fddd167e89f17be
SHA11f3ebc83797827c5e3e70d09de8ce569cd73433c
SHA256131cbc930b6fe694bc490b87505ad85739092065da43950c8fdda510840f793a
SHA5128a95397307c6d8013721bf540edcd4044eb9e232cb524da2ec9f54a364398bcdc7b41e81deac7a2c638797ef234dfb5978b28443df376653467ddebb2da29981
-
Filesize
13KB
MD5e2950b9610355be60b67e539281c0914
SHA11124198875eeddfe1f914f143a76982ea0fd8017
SHA256246a70a9eb9c008b06121608bf2706ecb8e0770ad855b78f5ece517d1c371ca5
SHA512572b2b2d43a5340424361854c01bc48422410857512a281b0ebe20f281c9cf974f17ca6929f995902392bcd455499d3400db81e5cdbfb9b4cf88bbbd047c2102
-
Filesize
8KB
MD5afc5899a0a343f2d0768763382a5fd30
SHA1aa73f95a8aee9ed478a24367e47fb4b61eb5e7da
SHA256f9f17851e49959c1aa575c8d53d87673c866cc3bde4e63bcb9d0b85ac4d86de1
SHA512678c0e334de928a0f31c68722c71ad27f43673a9d92d6b7ada001c938344360461d8fd27447e4c075404b5df230af4d51ad4819544cc8f51134b992d0c378b2c
-
Filesize
8KB
MD5f90b5e2951334ccf5259488a9077c7bb
SHA15a56b7264da1ebe01ffdcf6997f89dbd98eb750c
SHA256d8c422a8d2260ca196849ea53d20df429f822a89211ad37b3229382a4fde1c2c
SHA5129b7351b1f8196cba5a4cba3dd5fb2ac79d02cd9a1dc9a7be92f5c3948b93144ffa2e38a9ad9b75c16f3d50562a6f5e4fe05fbd22ddf7934d07b5059255b226e0