Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 04:27
Static task
static1
Behavioral task
behavioral1
Sample
b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe
Resource
win10v2004-20240709-en
General
-
Target
b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe
-
Size
1.8MB
-
MD5
2dff402b11d60b8d635038afcb1edd60
-
SHA1
c62452c7fec9c0d9e2fc85a1682cf451698a8e2a
-
SHA256
b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa
-
SHA512
0cfc5fe4924dbd0b86999f6da23bbe5edfb8f4d404b6c33bed029c86a7faf21fbd043b8a497508245cf99ad1e49f555bee573b21ab40a4948d44ad959f437690
-
SSDEEP
49152:Mzkc23o/6iaEjDalWdm9y/pJIwxmO+37huq:gkdziDmf8Hxm93
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
explorti.exeexplorti.exeb0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exeexplorti.exeexplorti.exeBFIJEHCBAK.exeEHDGCGIDAK.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BFIJEHCBAK.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EHDGCGIDAK.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeBFIJEHCBAK.exeEHDGCGIDAK.exeexplorti.exeb0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BFIJEHCBAK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EHDGCGIDAK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BFIJEHCBAK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EHDGCGIDAK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorti.exe611893ac49.exec3fb9eed39.exeb0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 611893ac49.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation c3fb9eed39.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe -
Executes dropped EXE 8 IoCs
Processes:
explorti.exec3fb9eed39.exe611893ac49.exeexplorti.exeBFIJEHCBAK.exeEHDGCGIDAK.exeexplorti.exeexplorti.exepid process 2264 explorti.exe 2820 c3fb9eed39.exe 740 611893ac49.exe 4100 explorti.exe 1548 BFIJEHCBAK.exe 4876 EHDGCGIDAK.exe 4900 explorti.exe 2900 explorti.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeBFIJEHCBAK.exeEHDGCGIDAK.exeexplorti.exeexplorti.exeb0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine BFIJEHCBAK.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine EHDGCGIDAK.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe -
Loads dropped DLL 2 IoCs
Processes:
c3fb9eed39.exepid process 2820 c3fb9eed39.exe 2820 c3fb9eed39.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exeexplorti.exec3fb9eed39.exeexplorti.exeBFIJEHCBAK.exeEHDGCGIDAK.exeexplorti.exeexplorti.exepid process 3368 b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe 2264 explorti.exe 2820 c3fb9eed39.exe 4100 explorti.exe 2820 c3fb9eed39.exe 1548 BFIJEHCBAK.exe 4876 EHDGCGIDAK.exe 4900 explorti.exe 2900 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exedescription ioc process File created C:\Windows\Tasks\explorti.job b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exec3fb9eed39.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c3fb9eed39.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c3fb9eed39.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exeexplorti.exec3fb9eed39.exeexplorti.exeBFIJEHCBAK.exeEHDGCGIDAK.exeexplorti.exeexplorti.exepid process 3368 b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe 3368 b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe 2264 explorti.exe 2264 explorti.exe 2820 c3fb9eed39.exe 2820 c3fb9eed39.exe 4100 explorti.exe 4100 explorti.exe 2820 c3fb9eed39.exe 2820 c3fb9eed39.exe 1548 BFIJEHCBAK.exe 1548 BFIJEHCBAK.exe 4876 EHDGCGIDAK.exe 4876 EHDGCGIDAK.exe 4900 explorti.exe 4900 explorti.exe 2900 explorti.exe 2900 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 316 firefox.exe Token: SeDebugPrivilege 316 firefox.exe Token: SeDebugPrivilege 316 firefox.exe Token: SeDebugPrivilege 316 firefox.exe Token: SeDebugPrivilege 316 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe611893ac49.exefirefox.exepid process 3368 b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 740 611893ac49.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
611893ac49.exefirefox.exepid process 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 740 611893ac49.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 316 firefox.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe 740 611893ac49.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c3fb9eed39.exefirefox.exepid process 2820 c3fb9eed39.exe 316 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exeexplorti.exe611893ac49.exefirefox.exefirefox.exedescription pid process target process PID 3368 wrote to memory of 2264 3368 b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe explorti.exe PID 3368 wrote to memory of 2264 3368 b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe explorti.exe PID 3368 wrote to memory of 2264 3368 b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe explorti.exe PID 2264 wrote to memory of 2820 2264 explorti.exe c3fb9eed39.exe PID 2264 wrote to memory of 2820 2264 explorti.exe c3fb9eed39.exe PID 2264 wrote to memory of 2820 2264 explorti.exe c3fb9eed39.exe PID 2264 wrote to memory of 740 2264 explorti.exe 611893ac49.exe PID 2264 wrote to memory of 740 2264 explorti.exe 611893ac49.exe PID 2264 wrote to memory of 740 2264 explorti.exe 611893ac49.exe PID 740 wrote to memory of 4592 740 611893ac49.exe firefox.exe PID 740 wrote to memory of 4592 740 611893ac49.exe firefox.exe PID 4592 wrote to memory of 316 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 316 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 316 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 316 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 316 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 316 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 316 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 316 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 316 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 316 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 316 4592 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe PID 316 wrote to memory of 1784 316 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe"C:\Users\Admin\AppData\Local\Temp\b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\c3fb9eed39.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe"4⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe"C:\Users\Admin\AppData\Local\Temp\BFIJEHCBAK.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe"4⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe"C:\Users\Admin\AppData\Local\Temp\EHDGCGIDAK.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\611893ac49.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd47c087-4ef6-47c0-a380-f82a75d0700e} 316 "\\.\pipe\gecko-crash-server-pipe.316" gpu6⤵PID:1784
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2480 -parentBuildID 20240401114208 -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7fd9e9-8c74-4201-81f3-038ec97a84cf} 316 "\\.\pipe\gecko-crash-server-pipe.316" socket6⤵PID:4572
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 1 -isForBrowser -prefsHandle 1568 -prefMapHandle 1468 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6355c80f-6b34-4657-b459-035cd5ccec44} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab6⤵PID:2352
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -childID 2 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac49e12-eaaa-4e94-b69e-c0b85f87d0f1} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab6⤵PID:2396
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4824 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4780 -prefsLen 31278 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ff702d8-4717-4b35-ba9a-2bfc1060280a} 316 "\\.\pipe\gecko-crash-server-pipe.316" utility6⤵
- Checks processor information in registry
PID:4080 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 4788 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96f1a325-4ac9-4e9d-9713-fe17fd9a38d9} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab6⤵PID:3184
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -childID 4 -isForBrowser -prefsHandle 5268 -prefMapHandle 5264 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2615b79d-e32c-4360-b84f-6d377d5739e2} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab6⤵PID:4100
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 5 -isForBrowser -prefsHandle 4796 -prefMapHandle 5300 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea5af53d-542d-4465-adc0-148c434ec889} 316 "\\.\pipe\gecko-crash-server-pipe.316" tab6⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4100
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\activity-stream.discovery_stream.json.tmp
Filesize21KB
MD53a7070b2ce5c9d7950433d3364045f7c
SHA1ce85f9be997145f14586b473b5a31635f908d492
SHA256b733c2d765762b3e6b9c27ae8988f99607a5429ae313e04a65dee20678782542
SHA512789e48e31ca32b67c42c16b27ac9645893527a04618fb80c0c3ef08eee07de6a7065cdc91edcf6f0fcec8dbded0da153aeb92737234b0b89df401ee762374b85
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD58db159c343089b17945d9697e86c247e
SHA1f56d53502c8867c977a001d47f516b7dc4797cf6
SHA256344bcdbc23d22fa8634c97e57e8bea35c40b9c04005af5e2891aa6a5efe74dee
SHA512eefaea60d7f8199e402d208f4c720c1c9c76d9cda92e8066f803be2fa42ebcb506bcdd323a9e90c5721a71503cabf473127c48b540dda3beb6d49de6dc7917c3
-
Filesize
2.4MB
MD577e2f975608c88144f09c2183217adff
SHA1d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD52dff402b11d60b8d635038afcb1edd60
SHA1c62452c7fec9c0d9e2fc85a1682cf451698a8e2a
SHA256b0a8c250928967e2407142d1cbe65369e141380849f8761405fd9992009123fa
SHA5120cfc5fe4924dbd0b86999f6da23bbe5edfb8f4d404b6c33bed029c86a7faf21fbd043b8a497508245cf99ad1e49f555bee573b21ab40a4948d44ad959f437690
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\AlternateServices.bin
Filesize11KB
MD5764fa98164c24da50f6c8d7b51030adb
SHA1e680d41c5f5cb00f530ab239920179a1d13ca436
SHA256eb31eee4ae42a85607d58ef4a7b8a10401854d1c1c7da4416b242d94939c1a18
SHA512bfe6fe998d35c301b277826a4beb01e71c6a2ed85edcc8013df509cb6f604c5fd2647014b3dd48208da2e52cab48c3879ebe0ce6aaa482bf36e98a19d790b293
-
Filesize
192KB
MD51998ea2238b846dc00da20b370cc8dbc
SHA19221396a66f963241d29fe65930ea4df8c4b6905
SHA2569ab8bb11df703b8210b58a4169b0e2001d7e2f5b28175d7f326f23ace565c053
SHA51230e48c3f857dc7d7b5abb1641f83be208e6e5aaa21b638a81563caa4d925e2a9f438eae9c3d024725326136801a700b4780105f2f71bb2265cd1ab57f7f02c5a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD5b039bf85fc0dae9052f3e8cfb391e856
SHA1cc7d4153bb6176f91be9372aaa5d05734859c1bd
SHA256d165d63eb58b15c10820dc95a32d81880ae34586ecf917f22d32a116a72ea879
SHA512597a5ae69fe7ec1246f4b3244ae214a04cbdaa40d18a1bb85c02387740e0cf81122aeb97c133c61f302b4ad61439afc80aac4db6eedc3e6d5a4a0681f96f2e50
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5bdbbf322686e049a5c9128bb2401493e
SHA1aab9f6cdfcd73597840e22f9fe49da4d621aa059
SHA256cfeff1fbfae5cb9daf9898cd622948a057e14225f4985469f502f13e17b50b13
SHA5123a5bbcee8d3620b8163a8fbce2d7a9f278f08b0cee81f3a5a5688178fd6aeffcefb0fd5776c730682cbc873fa4f97e13fe0a978c9fe9b7abcac2f0fc778c9f96
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5eec23717952b64ba6638f708f07948a2
SHA19e615224b93e8278e36db1afc6c3a1b00ee6b85b
SHA25616a9a7c73e55bc673d3faa12879849d6ef020a43bbe661f9302b4a68267ba918
SHA512933b247272bc76a75cd51b046d78bb8aa2d00a4e89af693531ee9248d63d35dc74e97f6f42c4e33a4c5c50cdfca635365d238ce53202abc448a7602dc5faf2a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5042fbc5faa9d185de5091ae62c5f2912
SHA18d44d3d6fb20a6b09268ebfdd8b4ce011d2c117e
SHA256b2fc210df714f56541e8ebb7d68b093825bee31ef63f32b1b0c4c36eba37b6ea
SHA51227be9c166115eb907511bd67460ced6d3b73e393f1eebd43e17e523d24a871af87d3b997ae632f986ec99c648d691c892bd9b2c53642ce212beac59668b65f51
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\933adcf8-c7d7-4507-9db1-ad80bf2d020d
Filesize671B
MD5e4ea6cf299b2c9454e589af84fad3ed2
SHA1481687a27642959cffd642c020998926edc9c4c0
SHA256f1653f30a4a7d523c1b7104f2985803241b1d6173750a0c28660d2535c8422be
SHA51243f526d518e0c01ca05e9fad883dff5af35f6fe3c1b84f4a21f5a94aeeb49613c7b5588c10b52457655e011066c463a426d99933cca35bb9cd3ab5b6226ae715
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\d31ab7bd-43a1-448e-bdfc-f9016c4abf86
Filesize982B
MD546fb08e78351d5dcbd73df3c8142855c
SHA19cd3fcb1d20adfa98d9f0b5db16e17f7f9a131a1
SHA256af2c4d454ab173df8fb1b57ec869f22b23279856cff82ebf3775afcc99a8fb3c
SHA5128f91eba913cadf59d646676b2bb64978d535ee093748359fe517de795c5985ba7b603bca8ca3635c3fdd69aad5bf3633ff4c5cb09ebd80b904dbc8732aaa19e9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\fb316db3-a536-4348-b954-9522a7fb964c
Filesize27KB
MD5034fa6dc88bd0c70a59fe0adf2307374
SHA1a81bcc33543f7ca741ab9dd6765584f2f3c6a9f0
SHA256951f9f0c528bf297ec73faefec554065605da9ae82cbf2f86f7943e28b4072a6
SHA512887effe4a32dbbe9d6614393746cd09a705d6af12540da20a34fc5f77f8fab2c835831444a623e0054c0c2c8be0aa7325ec3b73dd6ed9e6a438c4bb9c6f5a80c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD5508ebce803db464fe5459ae99a3d9de1
SHA1724c4b550cbacc761552ab3d146b79f6715f43c5
SHA25621a16cc399dfaab8b1c46958ca6e9489980d1daaf9ac7073ffcdea83befac3d2
SHA5129afabfbdd65e419cdd99c34eb9c26e119341e876d3b1c4696b40825367ef595fdd89e6abe1e8f306d6d657747602ad66751420f35337345e3cb935d6475b6dd9
-
Filesize
8KB
MD5bfb823409a973511d073e9f4fa9c8a71
SHA1c86de5741d4c02dc420489e4e66c2c21ca809d8e
SHA256cc2a942345c3b7484cc6805accce291bc14b0ffec335d1e6af1edcacfb3d9af0
SHA5120803a27df7048a559faa82ccea5fe7d8fed9fdec390c7fc7462ecc4ede878e67921ff23c53d057087d497ea143ede36d76778e224eb47b833dd46f0837623084
-
Filesize
10KB
MD5cb92ce3bba640f0496591a4db622879c
SHA126502b6c24f19ede1bd246d188a9ad04c2866e54
SHA25665919e8f69e8067a036896c73296a187992bcc8f95f99e04b7d4a650d1185e40
SHA512d063dcc2d83e1e560151f93c921b84e2723be6c82092a1a03b4ebff268968f6b71b1bd4cd8a92a36ffea9cf838e0d054232118c73cb94b81c53b2323c7c2a6a4
-
Filesize
8KB
MD50422074ec07e41f701f620fb8082031b
SHA11b549cac3905ce2866ade82f9d50c7395825699b
SHA2561b79805db031de3b30447c3060223e790cf969cd759e3693cb1d1b92581b4dc3
SHA5128a41e42217a73f2accd294d8562fb2c57500211482d369e900bfc90f76fc86ae760c5a6245a1c551e5d94572f2313281f038821a6881b3c82498db7ca9b7d52a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.2MB
MD57c46c4a680c06167335ac31175cdab58
SHA144964c66e7ce87ab5b70f6f63ba1ed267fc810b2
SHA2569e0db454b360040332a0dc9cc2259db33f039af1d7da54e62e114ac52d3fbdf9
SHA512daf7bb84b80c457998cba2f65b7b390a7e12a2e4359cae99ceaad1f4e06582c46c37c55a208b80fd9bf4f3cc186f28448cce86609f5bd9e93658fb59ee3e94cb