Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-07-2024 05:44
Static task
static1
Behavioral task
behavioral1
Sample
db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe
Resource
win10v2004-20240709-en
General
-
Target
db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe
-
Size
1.7MB
-
MD5
3f8e1855a2e2dd666ff5afaa12d8f7ab
-
SHA1
1719bbfea7d7a0ddca31b4a982c7cc32159bae63
-
SHA256
db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19
-
SHA512
bdd8efa0d73685df27a5ea0afcd446ec4578c98b9c31296bfc9410c72023c4b1cda9110dac7f4505d3c39b5d74524e6c318012d39bfe29e78c155d381be30d00
-
SSDEEP
49152:VUObcV9gA9jabIgubCdHZYa9yaEzTkDVS:VO92ea/Ez4Dw
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exeexplorti.exeexplorti.exeexplorti.exeIECBGIDAEH.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IECBGIDAEH.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exeexplorti.exeIECBGIDAEH.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IECBGIDAEH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IECBGIDAEH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exeexplorti.exea48e84fff2.exe94d0c71f42.exeexplorti.exeIECBGIDAEH.exeexplorti.exepid process 552 explorti.exe 2080 explorti.exe 400 a48e84fff2.exe 4888 94d0c71f42.exe 1948 explorti.exe 4692 IECBGIDAEH.exe 1332 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exeIECBGIDAEH.exeexplorti.exedb7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine IECBGIDAEH.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe -
Loads dropped DLL 2 IoCs
Processes:
a48e84fff2.exepid process 400 a48e84fff2.exe 400 a48e84fff2.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\94d0c71f42.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exeexplorti.exeexplorti.exea48e84fff2.exeexplorti.exeIECBGIDAEH.exeexplorti.exepid process 1356 db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe 552 explorti.exe 2080 explorti.exe 400 a48e84fff2.exe 400 a48e84fff2.exe 400 a48e84fff2.exe 400 a48e84fff2.exe 400 a48e84fff2.exe 400 a48e84fff2.exe 400 a48e84fff2.exe 1948 explorti.exe 400 a48e84fff2.exe 400 a48e84fff2.exe 400 a48e84fff2.exe 400 a48e84fff2.exe 4692 IECBGIDAEH.exe 1332 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exedescription ioc process File created C:\Windows\Tasks\explorti.job db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exea48e84fff2.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a48e84fff2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a48e84fff2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exeexplorti.exeexplorti.exea48e84fff2.exeexplorti.exeIECBGIDAEH.exeexplorti.exepid process 1356 db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe 1356 db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe 552 explorti.exe 552 explorti.exe 2080 explorti.exe 2080 explorti.exe 400 a48e84fff2.exe 400 a48e84fff2.exe 1948 explorti.exe 1948 explorti.exe 400 a48e84fff2.exe 400 a48e84fff2.exe 4692 IECBGIDAEH.exe 4692 IECBGIDAEH.exe 1332 explorti.exe 1332 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4856 firefox.exe Token: SeDebugPrivilege 4856 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe94d0c71f42.exefirefox.exepid process 1356 db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
94d0c71f42.exepid process 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe 4888 94d0c71f42.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
a48e84fff2.exefirefox.execmd.exepid process 400 a48e84fff2.exe 4856 firefox.exe 1524 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exeexplorti.exe94d0c71f42.exefirefox.exefirefox.exedescription pid process target process PID 1356 wrote to memory of 552 1356 db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe explorti.exe PID 1356 wrote to memory of 552 1356 db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe explorti.exe PID 1356 wrote to memory of 552 1356 db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe explorti.exe PID 552 wrote to memory of 400 552 explorti.exe a48e84fff2.exe PID 552 wrote to memory of 400 552 explorti.exe a48e84fff2.exe PID 552 wrote to memory of 400 552 explorti.exe a48e84fff2.exe PID 552 wrote to memory of 4888 552 explorti.exe 94d0c71f42.exe PID 552 wrote to memory of 4888 552 explorti.exe 94d0c71f42.exe PID 552 wrote to memory of 4888 552 explorti.exe 94d0c71f42.exe PID 4888 wrote to memory of 1464 4888 94d0c71f42.exe firefox.exe PID 4888 wrote to memory of 1464 4888 94d0c71f42.exe firefox.exe PID 1464 wrote to memory of 4856 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 4856 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 4856 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 4856 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 4856 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 4856 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 4856 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 4856 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 4856 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 4856 1464 firefox.exe firefox.exe PID 1464 wrote to memory of 4856 1464 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe PID 4856 wrote to memory of 1104 4856 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe"C:\Users\Admin\AppData\Local\Temp\db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\1000006001\a48e84fff2.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\a48e84fff2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IECBGIDAEH.exe"4⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\IECBGIDAEH.exe"C:\Users\Admin\AppData\Local\Temp\IECBGIDAEH.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIJKEHJJDA.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\1000010001\94d0c71f42.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\94d0c71f42.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd670087-1f9a-4e7c-8431-abf42fbc281a} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" gpu6⤵PID:1104
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {133e490d-8193-4dc5-b127-73315050f50a} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" socket6⤵PID:2672
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2744 -childID 1 -isForBrowser -prefsHandle 2604 -prefMapHandle 2824 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cca172e0-8bf1-4328-881f-68008c2d9708} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" tab6⤵PID:820
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3456 -childID 2 -isForBrowser -prefsHandle 3860 -prefMapHandle 2756 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f5aa124-58a8-411b-a44d-d4fba996303b} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" tab6⤵PID:1928
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4588 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4580 -prefMapHandle 4576 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ccd3bd-1ddf-4876-8ebc-f766e3b5833f} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" utility6⤵
- Checks processor information in registry
PID:700 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5632 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37811b4b-f8ec-40bb-99e6-0980f7431977} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" tab6⤵PID:1252
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 4 -isForBrowser -prefsHandle 5876 -prefMapHandle 5664 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a22c941e-6879-4e0e-acaf-37cbca425917} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" tab6⤵PID:4996
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6020 -childID 5 -isForBrowser -prefsHandle 6028 -prefMapHandle 6032 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {995ddbc3-2931-454c-88a7-d8e399f723fd} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" tab6⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5999f87be0641390fe69c0419d19f74d0
SHA13e94322a84213c91923b3bfcca92ec4c28adad0d
SHA256ce24646a9d05435dc24508c6d77cfc3963fcd84dcb8fba8ee57eabbc4366876c
SHA512da67b24596ad2c13e20304ae754a2e79d785ca66d941ac5a7b3046bcc8fddad65ae56d512c416bb64d968a6cdf36f987f97dfab129cfde156790d6049d10cdb0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD562e744ea8595b7736e5016d0a8583e39
SHA1a4cb009d75bcf03c64be3091321e95005ffc3959
SHA2562d9d39c6a53af4bfc39dc6a8bcc00198f73eebccae7f71571e3cd0d4d7e4bb4e
SHA51202bede658030c4a9ac175923e5db6e1099f65c9b13aec8f8ecda29130e602fe6c1f52b7b716347100f08add2c39447e8e25b2b2fc03af90f117fa2c2f6f7d1b6
-
Filesize
2.4MB
MD577e2f975608c88144f09c2183217adff
SHA1d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.7MB
MD53f8e1855a2e2dd666ff5afaa12d8f7ab
SHA11719bbfea7d7a0ddca31b4a982c7cc32159bae63
SHA256db7f6b90fb81bbff19d9ac9b6e8f6465e536a5428d888b73be6f5d4a969dcd19
SHA512bdd8efa0d73685df27a5ea0afcd446ec4578c98b9c31296bfc9410c72023c4b1cda9110dac7f4505d3c39b5d74524e6c318012d39bfe29e78c155d381be30d00
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin
Filesize8KB
MD502e7608b4a19ec99e5995b5870e41601
SHA1c8cdcb08e4c73cedfd2acbe351e1038b5a52bf07
SHA2566e372fa505b8916b8bf638fc8ae9f682e25cf9c946a76e3a71195a578b79ab65
SHA512fc478571bd3cd45c32d14135b2d22b4cf6b86a9d4461d0507c182572e98d707dcb1089276145582985b791cd0077f4da93770dc8770d35340bd46349031ccf5e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin
Filesize12KB
MD5f0e65f25255153fdc07d432ffca3ce3b
SHA147f5c0fcf07b93a887ab570fb6e31993f600f4d0
SHA2569379f8c0662f9af5431daccc5f602b08bbac61b190b50cb8946f8036f969bcb5
SHA5128e12c1230ef89d6d30d76260d56aab1400ff620b8c1a594fda20a3c6a6d4be67843e77cb0d2dc8b5d4dbd2f8f4497806bbb5a3fd380cec9078e809c024ff8d97
-
Filesize
256KB
MD5878f97f3f63866341c8a4fef73198edb
SHA145a8fec0839de83dfbe4fae4397461ade88739d7
SHA256cc93ff1ef0ea6636f16af6d188b1449f145e067d1fc59a48134568bb028c4d09
SHA5120d413107c2c4cc55dfada9521b77c278e549eb9023bf6faf952bd8d737e3c161f042516e1ce415a360cf7426b9a79e5932844d94e83e7e964e34877088786896
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD56f5a21d42329005b4a1467ca41052d72
SHA1bf8cb163da851a92b417b11f2ef91a8d2d37c358
SHA256daee0adff8b964ccbdb4e0944af10760e414fb077837cf9976d3fc864faf85e4
SHA5122f931bc771e7897a3c0c77662e85b3bb36f006a036bb02a0da57f53baff2d4ab9f4d3202b57212376eec414d53c76b4daa32eba4dac2b704b4fc1c8aa438eed5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5005c1146839cb7a92304420f0199c9ab
SHA19d65bf58cdfdf9f94467ebdc67decb204752b411
SHA256551dc33ffbaa97f4da337c6553f4c83897af7d68c29081e3ed5af026decb7d6b
SHA5122a3cd72f4a248c1c07af11c7edc41604709de41c0cc7d8711286cb4759957f74d2141d402d9162104fe5556f3f826aa35c1b686918e57b8cfc8a1d2232b5f02f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\3e31e987-863d-4dcb-9442-4ad6b7c02723
Filesize24KB
MD5a5c9a14b0cf488303d7d0db5d430bc45
SHA1dfca6fbd461c51e2c52e84d01885407a99dc973f
SHA25604b82d70bb41e9da3418e8ccb900cb61d89057791c997fb615e42bf2751cd4b7
SHA5125379d0237493301cd2fa90e759bbe283b4031d33d8416d4d41369b03fdeef5442855533c5679559966c08b110953a2cc086f0e6022d9b9eede9dffef3b03375b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\c8ce3520-c733-4abf-b8c0-a59c8fea904a
Filesize671B
MD5f4e69e386e0545405558e29bbc92f632
SHA1a818690688a0776adb67c59f4362b8887c278996
SHA256c0a2f071ed6c46e8b05b42e8c0ac8d5b15e2dc3a4d552c3af537741dee8fb4de
SHA512cc0aca24f41ed56084775d269a68570c01e051e42f9e2a356f5238010988b18c1db6146ffb7d7ed6f147da764dce562a6595d1462006e3a32850ac7a5eb21e65
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\d2dd583b-d9f5-45ec-ae16-ce13ecfb68e0
Filesize982B
MD5eafb7f85af788fd277d2ad8bd27f9b8f
SHA1c08de00952d43275c912959cbf1139fac213cedf
SHA256d3aced601d0c2ee03a14c45f4a730bbf18eaf2ab260897093fec40ad0d0886ab
SHA5129a6609cd6a415750d73a6933a84b9336cb9f5f4d71a98408d1fd2252d86a80df92aa64c10443a00355c8a7d0796a00f14ca981d057e997e8b9c0c7561f2a1075
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD514b89d780b4de1079505f5efd03b068b
SHA13c39558fb56bb2bba44a5b1f3086b33202eb3eb0
SHA2566f1a9f55372fea78ae262762f3b3016a01e4fbda84d877681ffc493dbdc01260
SHA5121f3eedd99123afb35f25c25bd8bb04c827462dfb8a97c3e5753cd72315f464d4db01720ea736723e4b91901a0cb9705996b6b48ba11a878aef4d6766c23f51b2
-
Filesize
8KB
MD5b957078bf704e5437774700f04fa1b28
SHA147cda23acce1fc91867131787044ad96f9d33f03
SHA256d4114ce42aa5f503caea3fb9126ff1f30fa4f1a364ecd273ed55888ed41ed3a0
SHA5125812046f771a48e72eb46d8df4937e897629f9eceb3c1cb2f8214eb42bdd925815ceb7554fec02064b6c95d12489be8441859eb07a86fef0043a481fdbd5679c
-
Filesize
9KB
MD5cd7843f80ca756d229491a9e22e6bec7
SHA171ef41cb1d47e3ac2a80162a4e90ccb5f9155202
SHA2563b5b8c9b811fe64d196139a7fc32d3fc2a9ba78d4a9398fe78577f0ec82bcd24
SHA51219bfb0e7ee392d22928a0629b766985b317eee4aae3e5606777cd0373c45e1c382e73da07f5434984c698664c3575c5b6df96db8cfd552a984d68d9a8439de63
-
Filesize
12KB
MD56380467d9211a3d44c40a39fbec1a46f
SHA111950e7a024f9318f0bad9eaba01faf0aaf2397a
SHA256a755f16990751c5dac775e367eb32477ae88e0baf70836706a93b320ca6c5ab7
SHA5123d467daa57ee077516dd13339d20519d9488140a606ddb4eca7cc03f5a94ba3c280e2653d8387fe32bf697673bfc09c85f02a313d0f0208d36e24e92edb61eb6
-
Filesize
13KB
MD53c0bd289cc4ba020986164f9b363749c
SHA16e5ba7477da8e4b5dba2e2064c08f21489e03847
SHA256c9000a201d3b9341917674335590452cb668c5b585f6eb8a29c381f37e8beb7a
SHA51286c4bba8c1e65bc3d5c4547b078846e94bae8be3f0ac9cb97ab7e55665adb5c81a408f381e7e53b073904d23d8a02845c20c2bcf2795ceccac5b9410d4732446
-
Filesize
8KB
MD57d5f3ba0ef99687911894467291a388a
SHA11abb7421ffc96665250df156cfc16daf7676d494
SHA256ecbaaa319fce1fe9e4bc57dccb2dd4693f4d2078924a4bde220b3b9f1417533d
SHA512f714796693d941514de2787a411d9d36cfa20a358fc8448bce0b053bb46f6be948e988cfa380621098d5531f6a37c46c0b297ed04b911ce4f78c90a7bd8b1028
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD54e1ab1c808322a4d705686d1ceabefb4
SHA13cc4ad25d86350c6bb973b9db66688392ef5b022
SHA256116d5aac43b4f7c02585708a1ba13147fb81ace230a003e58c069b8e4390b105
SHA51287e0809af939cdf1223dbd0398eabff8d19dce89d66063a56b25c0f247ed6ae7511a66e6847ee62893ae012474a850e76ccce6813adb3dd0667936b4408d6c7e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.5MB
MD59152a8421120c09960121b49e603038f
SHA179b40e92bd670de5b15f2e3d83025c320d4ecc1e
SHA256d8e26bc21aa4453be40c09d97a11fa166e5c64013bcabf31c8a1b1d5dd992608
SHA512df8fe06cf0bb5591873f8959f3e33f6c12195d74c76010e3b8e8af434459ec7879232656948481fd0f96a2e0eea57b635f6244befb1c9e82cdfd28cf10cb2d34