Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 06:57
Static task
static1
Behavioral task
behavioral1
Sample
c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe
Resource
win10v2004-20240709-en
General
-
Target
c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe
-
Size
1.8MB
-
MD5
8e5cc3afe25b3fa1938214fb22b4b782
-
SHA1
9f244a294689f1f2b3fb730e7edaa9751c578068
-
SHA256
c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f
-
SHA512
8d782afdd9fa14270c37f9e58ad3fa61ca1374d041483ca9c7c6b3ef7aa4f22ba1a0c2dad00df456ff65f4d8b4abc99d88317a830bad67ca2533a5e1ee84bc34
-
SSDEEP
24576:wxxapjQABqZ2VAsxp0KGSLrz7s/eQdika4S2580kzP4GpOGCBZTcNGMG/NZi6WN4:msJQAkZ2KRUn87980w1YbUNYInr
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
explorti.exec6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exeexplorti.exeCGIEBAFHJJ.exeIJDBKKJKJE.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CGIEBAFHJJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IJDBKKJKJE.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exec6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exeexplorti.exeCGIEBAFHJJ.exeIJDBKKJKJE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CGIEBAFHJJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IJDBKKJKJE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CGIEBAFHJJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IJDBKKJKJE.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4b946c8ffc.exe68d3151dba.exec6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exeexplorti.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 4b946c8ffc.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 68d3151dba.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exe68d3151dba.exe4b946c8ffc.exeCGIEBAFHJJ.exeIJDBKKJKJE.exeexplorti.exeexplorti.exepid process 1584 explorti.exe 1236 68d3151dba.exe 3108 4b946c8ffc.exe 532 CGIEBAFHJJ.exe 4344 IJDBKKJKJE.exe 2016 explorti.exe 1728 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exeexplorti.exeCGIEBAFHJJ.exeIJDBKKJKJE.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine CGIEBAFHJJ.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine IJDBKKJKJE.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
68d3151dba.exepid process 1236 68d3151dba.exe 1236 68d3151dba.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exeexplorti.exe68d3151dba.exeCGIEBAFHJJ.exeIJDBKKJKJE.exeexplorti.exeexplorti.exepid process 4908 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe 1584 explorti.exe 1236 68d3151dba.exe 1236 68d3151dba.exe 1236 68d3151dba.exe 532 CGIEBAFHJJ.exe 4344 IJDBKKJKJE.exe 2016 explorti.exe 1728 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exedescription ioc process File created C:\Windows\Tasks\explorti.job c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exe68d3151dba.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 68d3151dba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 68d3151dba.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exeexplorti.exe68d3151dba.exeCGIEBAFHJJ.exeIJDBKKJKJE.exeexplorti.exeexplorti.exepid process 4908 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe 4908 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe 1584 explorti.exe 1584 explorti.exe 1236 68d3151dba.exe 1236 68d3151dba.exe 1236 68d3151dba.exe 1236 68d3151dba.exe 532 CGIEBAFHJJ.exe 532 CGIEBAFHJJ.exe 4344 IJDBKKJKJE.exe 4344 IJDBKKJKJE.exe 2016 explorti.exe 2016 explorti.exe 1728 explorti.exe 1728 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3080 firefox.exe Token: SeDebugPrivilege 3080 firefox.exe Token: SeDebugPrivilege 3080 firefox.exe Token: SeDebugPrivilege 3080 firefox.exe Token: SeDebugPrivilege 3080 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe4b946c8ffc.exefirefox.exepid process 4908 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
4b946c8ffc.exefirefox.exepid process 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3080 firefox.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe 3108 4b946c8ffc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
68d3151dba.exefirefox.exepid process 1236 68d3151dba.exe 3080 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exeexplorti.exe4b946c8ffc.exefirefox.exefirefox.exedescription pid process target process PID 4908 wrote to memory of 1584 4908 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe explorti.exe PID 4908 wrote to memory of 1584 4908 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe explorti.exe PID 4908 wrote to memory of 1584 4908 c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe explorti.exe PID 1584 wrote to memory of 1236 1584 explorti.exe 68d3151dba.exe PID 1584 wrote to memory of 1236 1584 explorti.exe 68d3151dba.exe PID 1584 wrote to memory of 1236 1584 explorti.exe 68d3151dba.exe PID 1584 wrote to memory of 3108 1584 explorti.exe 4b946c8ffc.exe PID 1584 wrote to memory of 3108 1584 explorti.exe 4b946c8ffc.exe PID 1584 wrote to memory of 3108 1584 explorti.exe 4b946c8ffc.exe PID 3108 wrote to memory of 1904 3108 4b946c8ffc.exe firefox.exe PID 3108 wrote to memory of 1904 3108 4b946c8ffc.exe firefox.exe PID 1904 wrote to memory of 3080 1904 firefox.exe firefox.exe PID 1904 wrote to memory of 3080 1904 firefox.exe firefox.exe PID 1904 wrote to memory of 3080 1904 firefox.exe firefox.exe PID 1904 wrote to memory of 3080 1904 firefox.exe firefox.exe PID 1904 wrote to memory of 3080 1904 firefox.exe firefox.exe PID 1904 wrote to memory of 3080 1904 firefox.exe firefox.exe PID 1904 wrote to memory of 3080 1904 firefox.exe firefox.exe PID 1904 wrote to memory of 3080 1904 firefox.exe firefox.exe PID 1904 wrote to memory of 3080 1904 firefox.exe firefox.exe PID 1904 wrote to memory of 3080 1904 firefox.exe firefox.exe PID 1904 wrote to memory of 3080 1904 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe PID 3080 wrote to memory of 3728 3080 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe"C:\Users\Admin\AppData\Local\Temp\c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\68d3151dba.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"4⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJDBKKJKJE.exe"4⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\IJDBKKJKJE.exe"C:\Users\Admin\AppData\Local\Temp\IJDBKKJKJE.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\4b946c8ffc.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec6da45c-e16b-4f17-a198-a7d32c49b75d} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" gpu6⤵PID:3728
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95f8b928-3509-480b-ae81-44ab253e9de8} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" socket6⤵PID:4920
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3168 -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3060 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1751b2a9-f161-4bad-a7c8-22e2dd8d4510} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" tab6⤵PID:5056
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4004 -childID 2 -isForBrowser -prefsHandle 3996 -prefMapHandle 2776 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70899185-22c9-47fe-a378-144f0e610db9} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" tab6⤵PID:4668
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4824 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4752 -prefMapHandle 4680 -prefsLen 31272 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41a5d7cb-e5fc-4bcb-8859-ab149ae946b6} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" utility6⤵
- Checks processor information in registry
PID:3560 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 3 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59aa8b5d-cd53-4487-9fd9-d7a7c6897912} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" tab6⤵PID:4824
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5176 -childID 4 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a5975fb-0e2c-4bab-8ec2-eb5fcf4ed2ff} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" tab6⤵PID:2508
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5612 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6ac1721-0756-40db-b216-5bd81ecfaa1f} 3080 "\\.\pipe\gecko-crash-server-pipe.3080" tab6⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\activity-stream.discovery_stream.json.tmp
Filesize24KB
MD5cf9a30603e0098342f0f4b53fca93132
SHA1191ea64b5d8179dbcb4165f618596c723d259c88
SHA25609a02cd47a7477bb6d056bbe1947a567a6c5d4084644beb1278e7bd5d2564aef
SHA512323ce13511e936997b1b1a31bbc70ecf14604489588ae1ec391d4597adff6960bed3837b1e0f78690a28d64a6f08b0aea0c17a53bf30159ce3aef0111590b381
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5becabd546a531dfad42a1ba825745014
SHA1a78b85f7aea6039316379792da3c5baed01abda8
SHA25684bcc0eafa9983dbf02ef0b399842d9b73f40e03023f1fff1f0a35627dd5da1a
SHA5123f754bb0d53f50c005d55fe5a801918a2818406de524b668f643969563babee5808a21ed98613b385062dbf3f6c4b472ca3d6a80aadb8ee313afe542e7dec356
-
Filesize
2.4MB
MD577e2f975608c88144f09c2183217adff
SHA1d54426b5072ad1b974492836fc2ddee0bc6f2747
SHA256dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9
SHA512ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD58e5cc3afe25b3fa1938214fb22b4b782
SHA19f244a294689f1f2b3fb730e7edaa9751c578068
SHA256c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f
SHA5128d782afdd9fa14270c37f9e58ad3fa61ca1374d041483ca9c7c6b3ef7aa4f22ba1a0c2dad00df456ff65f4d8b4abc99d88317a830bad67ca2533a5e1ee84bc34
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin
Filesize11KB
MD5f34fe9b2710490e54a9c9903fa264c53
SHA16464643b9449f4b7246b7c9b8ccd42f7c804b5c4
SHA2563a04db6b73053f6cc8109f3297a056be4f4b6116bcee60fe94ea37d31816751f
SHA512f7d2da4cdd55e60b86c5e7747c57571d8d291925d48ff2ce67738c5737b90b9cbe289a9984b2b6de5e21969b601a1e7b135d15f605d37548b7cdb8abbc6d22de
-
Filesize
256KB
MD57eeffc361d82395910f5ee15bfa9d47d
SHA186bc6bbf97b99b867d8917138e3a5a0c3dc536bd
SHA256fa3c187373f7f9b0f56b283fe6054a3b984b8e21e2012acfa70dfc191c85a2e8
SHA5122fdd15e80c0024b0112f5e2967992f41e5dacc05740814639522b82087e89055b05ba5fc359b578a18b593f638092736f4c1331833553c1ab634b520d1804ee8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5231bac33a9ee45fc2dc4a03e343df990
SHA1e29a86851e936fb38640eacd6e6ed539ec496180
SHA256622b909a56c7b419c6c02a0387612548405f81195c84f8c5b8dcfef608a078b6
SHA512f1302b5fc98c1de86200064b317b654ad5d392c2a5171bf855831c06e75b1559a9c2d30f1bae5ddf35a4fd147c2efc761bcf39a5ef4d53a2d3ab3021b0cc5c65
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD58add972e9fa26808dd78a7531671e0da
SHA16cd9a1d8682ae629aecb1487f0cb2d8f194f13f4
SHA256762c4456c540bc6368f6bc0b2e933fb907472ee83549e3f5985cce08cc0cb993
SHA5128a47e6887d939c6963e3ba2b509d3ce44ec8138f78decdc6b959044f4ff14e2e9520e8fcb206a28cb9c1378aeca1acffaa9138e02257f92bbbeb29080db83b5a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD57a95575b4beed25c568b1566b7422d57
SHA1d4741cab4ae190cce5b1bfd6f44ec0d8c7a96941
SHA256af438cbd808b3cf451d9a94a9656ee5cb293dcb1e20b9b8e92745076d78d250a
SHA51234fe97be29519466073f8f863c24e08cbec91bb0cb86fd4036322d6772bf49887666971514bba7b88edb90d30cc553b3d4ef1efaedbfdfdbfd1bd7240fce4bae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\23e37b1d-fa48-482a-86d3-81a052a22cb8
Filesize27KB
MD5bdf2eb0861de39bce0e19fbf30f61782
SHA15211bcb0b775b67178a367fdcce930bb9a5de38b
SHA25646e5bd786782fa821b3bcae139ab005343d0a42f791cbf5ea8e74afe990f6e5b
SHA51275948c603a750383c2d1fe6b3380e1a8d8d673588ec91b0d74e930825d6765a8cf0403483b8d56a29fa4d60f8c22aa86ee0c3467349a2032321bc594d838b069
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\8603d293-2795-41e7-8b17-f0fa89a48a41
Filesize671B
MD54504dc0567f0713cce2657c72125263a
SHA149c670eb05437f4ca025816c0ade4db601f3db5c
SHA256a4a459e23ef28f9027d2584259631e23d973d71099b390ca2f0146366617cb7a
SHA512c8ea073ebc19d57cae4053ee872e0d9b361ed827c0a2acd044abe81ec91edac9e5eb33cf3d9d2e096449a59278147606584027d370edc8c6b51ea65699ac5caf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\e2b1609b-9ee7-47ac-9ec0-924025706140
Filesize982B
MD529cbd86622bdb789de041c280aab2509
SHA1dca91da4d78ef1be7860237bfdc212b08ef6ef26
SHA2566ce379088e37d3d2421712636c3bb253627eaadf5c58cda51d7614a65b1c0f26
SHA51297c7f8b38da148d5a314d4e41541ff0db045dd3d024e98c6892c257d4b1278b58a4b3d6edaf29fb701efeeafaa1f56c29847070fb80e6aeb62b43afae94ec3ba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD5cb48d4888b907b775493f1012e7601d8
SHA172c3ef9a0cfa17ef840060f0e9fcab2491481c5a
SHA25613037e8c073c22c191d1025cff4e990d0d5eb2651d9b158ee22b5b7dcf03a294
SHA5120e29bc633283cb988770fd06f40c998d4946aaa47d323496069a63dc57607c053005814a72faaa8a24317af0d469bb6c4053a666dcb465533a94a92911fc38b5
-
Filesize
10KB
MD5a0f84a7698058bbb4e48e70a9bec696a
SHA194c342a43d907c01bf11d37677c28e609f325e17
SHA25695f1abf4facdc80afdeffe743c361da5d29cefc9ffd1a36eb86e3a31070fc5c0
SHA51202351eff207a488fdf0803a207a9ef245d94f17a1961e7a09117a1bf280412e2915503f30035338fa30e73fdda774151497c5d0cbffbaef8766aa4e316a68d8c
-
Filesize
13KB
MD57a35b406907c919acf9b784660d7c4d0
SHA15a2e9ecd6067acb758d5144c657285634ac74572
SHA25617e9fc5b8da614e483017a587f5495fda773c00310af4cda201a4235f05912e0
SHA512268e8389d6bc2d0f283d27550c4f2ece260a3fccc408ac0c2d7b9a5a43fbc2d7374ec033586ddafaa7915086d9f1c88063c2abd84a6cae11b9681b8ac59cde9d
-
Filesize
8KB
MD5ea0bdefbdffbd65ee62dec07274aba46
SHA180452142c7e6466b6e46f15c77b2c8e8ab1a0e93
SHA2563f6d0e88c0a481029dbb44401ca2248e76edc0db40859278127c608f44f8b006
SHA51214b407521d9058cc9066a462051eac2cc502a5f5e86dbc6be8d83aad5ec832238add0466286e2f53e361ad0d5f1a05273df6b147a0f9bed78fc7db030017d790
-
Filesize
8KB
MD5e4d6fe6fc408f944b0cdb0a8f336747a
SHA1b5c94a964bfb68f34bc94b9ac6ea9bd96a4147b5
SHA256e100ff70996dad7c4f7e1b807a7601ba025784dfa7b857052e05e76081fd9aa2
SHA51203c0c73daad855f9c60a2f47825eb53ad13170ddc8d9bb0c0cbacd143fd72cf10e2fc2b3d921bfde1934a9eff5128e563f08130429bd8508be4dc13cd8daa4cd
-
Filesize
8KB
MD55a6b398b1965b193a0e5572703831386
SHA15e16731d74c048bc66d27075c8e3270e8b678615
SHA2565fb48f5c2b78e1148f32276e67c5fe5c9dd80819fe1ecd2921edaf01e8e3917c
SHA51209183d8c8b02bc9d6482e50f4e96cd87a6013de57721dc276c244e7d58b9914834275a7fac2a9ce0cdb643e306628e3d23401d3c8704d58f9090778cae5c4325