Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-07-2024 07:30
Static task
static1
Behavioral task
behavioral1
Sample
4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe
Resource
win10v2004-20240709-en
General
-
Target
4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe
-
Size
2.4MB
-
MD5
7eac5517949c3ba823c0d05f296bd953
-
SHA1
89d79b84addb51db2bdfeb90c7780dda23fabd2d
-
SHA256
4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
-
SHA512
d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89
-
SSDEEP
49152:81s8BuadFFjSnGgQWYec225D4JnoSIOXEUMF9+wKm1fMkK:2BP9SnGrfeGh+onOXEdf6m1Ek
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
GIJJKFCGDG.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GIJJKFCGDG.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeGIJJKFCGDG.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GIJJKFCGDG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GIJJKFCGDG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
GIJJKFCGDG.exeexplorti.exea1239b82bf.exea98f9f6bb6.exeexplorti.exeexplorti.exepid process 4128 GIJJKFCGDG.exe 1552 explorti.exe 5144 a1239b82bf.exe 3132 a98f9f6bb6.exe 3296 explorti.exe 5000 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
GIJJKFCGDG.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine GIJJKFCGDG.exe Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exepid process 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exeGIJJKFCGDG.exeexplorti.exea1239b82bf.exeexplorti.exeexplorti.exepid process 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe 4128 GIJJKFCGDG.exe 1552 explorti.exe 5144 a1239b82bf.exe 3296 explorti.exe 5000 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
GIJJKFCGDG.exedescription ioc process File created C:\Windows\Tasks\explorti.job GIJJKFCGDG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exeGIJJKFCGDG.exeexplorti.exeexplorti.exeexplorti.exepid process 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe 4128 GIJJKFCGDG.exe 4128 GIJJKFCGDG.exe 1552 explorti.exe 1552 explorti.exe 3296 explorti.exe 3296 explorti.exe 5000 explorti.exe 5000 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3568 firefox.exe Token: SeDebugPrivilege 3568 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
a98f9f6bb6.exefirefox.exepid process 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3568 firefox.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
a98f9f6bb6.exepid process 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe 3132 a98f9f6bb6.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.execmd.exea1239b82bf.exefirefox.exepid process 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe 4104 cmd.exe 5144 a1239b82bf.exe 3568 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.execmd.exeGIJJKFCGDG.exeexplorti.exea98f9f6bb6.exefirefox.exefirefox.exedescription pid process target process PID 4968 wrote to memory of 1476 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe cmd.exe PID 4968 wrote to memory of 1476 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe cmd.exe PID 4968 wrote to memory of 1476 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe cmd.exe PID 4968 wrote to memory of 4104 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe cmd.exe PID 4968 wrote to memory of 4104 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe cmd.exe PID 4968 wrote to memory of 4104 4968 4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe cmd.exe PID 1476 wrote to memory of 4128 1476 cmd.exe GIJJKFCGDG.exe PID 1476 wrote to memory of 4128 1476 cmd.exe GIJJKFCGDG.exe PID 1476 wrote to memory of 4128 1476 cmd.exe GIJJKFCGDG.exe PID 4128 wrote to memory of 1552 4128 GIJJKFCGDG.exe explorti.exe PID 4128 wrote to memory of 1552 4128 GIJJKFCGDG.exe explorti.exe PID 4128 wrote to memory of 1552 4128 GIJJKFCGDG.exe explorti.exe PID 1552 wrote to memory of 5144 1552 explorti.exe a1239b82bf.exe PID 1552 wrote to memory of 5144 1552 explorti.exe a1239b82bf.exe PID 1552 wrote to memory of 5144 1552 explorti.exe a1239b82bf.exe PID 1552 wrote to memory of 3132 1552 explorti.exe a98f9f6bb6.exe PID 1552 wrote to memory of 3132 1552 explorti.exe a98f9f6bb6.exe PID 1552 wrote to memory of 3132 1552 explorti.exe a98f9f6bb6.exe PID 3132 wrote to memory of 1440 3132 a98f9f6bb6.exe firefox.exe PID 3132 wrote to memory of 1440 3132 a98f9f6bb6.exe firefox.exe PID 1440 wrote to memory of 3568 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 3568 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 3568 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 3568 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 3568 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 3568 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 3568 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 3568 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 3568 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 3568 1440 firefox.exe firefox.exe PID 1440 wrote to memory of 3568 1440 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe PID 3568 wrote to memory of 2320 3568 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe"C:\Users\Admin\AppData\Local\Temp\4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe"C:\Users\Admin\AppData\Local\Temp\GIJJKFCGDG.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\1000006001\a1239b82bf.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\a1239b82bf.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5144 -
C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\a98f9f6bb6.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1824 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {975738fe-308f-401f-bb80-d25f3c85bb70} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" gpu8⤵PID:2320
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2336 -parentBuildID 20240401114208 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddfcd32f-92f6-4964-8dbf-06c31b4199a0} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" socket8⤵PID:4332
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 3204 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65dc593c-1e2a-4224-b671-049d61906f01} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab8⤵PID:4048
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3932 -prefMapHandle 3872 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b68d972-c66a-4c6e-9233-3889b6cc9340} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab8⤵PID:5524
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4172 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81ef044-7503-4d2a-af39-0f34ef154cb7} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" utility8⤵
- Checks processor information in registry
PID:1696 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 3 -isForBrowser -prefsHandle 5580 -prefMapHandle 5588 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02142226-d7a4-4747-885f-fff1cdc5d9e2} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab8⤵PID:3476
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af1c8a63-7161-41df-9f37-a3f602220996} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab8⤵PID:5212
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 5 -isForBrowser -prefsHandle 5988 -prefMapHandle 5984 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e287d9b0-5762-4150-880e-fcd602ca2b46} 3568 "\\.\pipe\gecko-crash-server-pipe.3568" tab8⤵PID:420
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIDHJDGCGD.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4104
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3296
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5de2db5a4fa74b1a500bfb9ffb3f81528
SHA1713a350cc4ed31c355c8100808ee064a695723ff
SHA25623a0b1e83de46d4675274b37a31d7e13a1f6b580586d0a9298be271c113ef922
SHA51287d01203cacee424f44f081c7446f512776f19604e8bf12f15f7c0f46b36a858973d4565e98fe3ae99495429d61ae046f56eb88511cadd526ba34914cccfe281
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD50d5ee1a5f99482a7038e797816121e40
SHA186fe9653ff1485e59145b5f70399bdc9ee849f98
SHA256b6b4cf0feeae5f717b5b4228cb41196908587f5b05021618c4b243fe9726916a
SHA512401948b5106228ec80917a8eb09068ae32139b644d4ba775021b7f662849f717fb783e97140f8706af3d47cdb2afd9528bf222cc7fc34d9db3127db58b566787
-
Filesize
2.4MB
MD57eac5517949c3ba823c0d05f296bd953
SHA189d79b84addb51db2bdfeb90c7780dda23fabd2d
SHA2564f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
SHA512d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD58e5cc3afe25b3fa1938214fb22b4b782
SHA19f244a294689f1f2b3fb730e7edaa9751c578068
SHA256c6b8415226bd057d38f7ede39eac5cd20dd41881269ae69f1cf22a71208a0f8f
SHA5128d782afdd9fa14270c37f9e58ad3fa61ca1374d041483ca9c7c6b3ef7aa4f22ba1a0c2dad00df456ff65f4d8b4abc99d88317a830bad67ca2533a5e1ee84bc34
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\AlternateServices.bin
Filesize8KB
MD541320c4b8971fe620688ca24047a2f8c
SHA1084a15650a77a1015ca840c1c5920ab3286b3787
SHA25678a9ae25202dd1d5378f2788ef86a939675174df89cd089081fdb864b19d95c0
SHA51223cb1fe8cbbb1f5fd24bdf2fe0980dd08e7f16f2d4494fd1fbd546adac0f71cb40d9b60a623a1eb371d2ca43fc585662f137ea9f80cf4c7d2e2885844cfc0eb3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\AlternateServices.bin
Filesize12KB
MD5bb3b9d789ef84f37b7264afc7f2d05f9
SHA1d5f24b4b0b730020e740f30ddf47146be6b0a0f6
SHA25650a3ff28719b4f6926273f211b65f6b6f15b2f6a3c6422d51a9e02a02fdeb871
SHA512e3c2e41b94818e62c6b85b80f236dc8427a407540a1f1ae23a312ad5a680b4f37ae691daeff969885dcf47ac64b1fdfb3b4bb8b6ab687f58efe0befa7f9786d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5c8e089c06c919ab5560931447e4586fb
SHA1c4ccdd5f83190b522bc450b67cdfad5dc95eb2a4
SHA256b93af6eee0779ef70e8453742e55d02f7833c1ea1a87eee71708ef310cadbb52
SHA512037fc36443c0bfcb78416d44c38a619224cfd72dde0d1295da045fa88ca4fc154a16f9469d71c5648f7cd75f3ac649b68fcc93b7206c9154653cc80f9acd1c81
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5b4302663e5942ec36ffdb71c6d55685a
SHA11fd3e8a581d8d94cae462fc804769584857b778e
SHA2564eecaca5445fefa6b3460a01d58a79cae3aec7b74fcfe34a085d151ee7d21c55
SHA512345b78b734df01486ffd971edd4fcc41c65259dc3a5bfd8b0b150fb20ce4fb2655e83eb5d2d516f6b1cf490a433ed6f709d8a20cfdd1e32b1f77389997e5a8e8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5767910d068b6aaf7579fa427530b05a8
SHA155a09294750ccff83553d6f267b4bfe9d1e156be
SHA256b14b9c57570b0a3b553173f9df4750131ad5c62349f8e751969c2ecb1dddacf5
SHA512eb153e2dcd5ff30f55a9c9ed73785d71cd2db066dac89475129fe6de137c5688effbf11e4dd2fb1e973493ac93d4c74478d9836c546041a7ff05be96398ad2ae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\080ef24b-41d5-4df6-898f-fee048fc17ae
Filesize671B
MD5ee865a5925f2d306f7002136f2ebc182
SHA1de24bdc3a436643ab522051df99be507986fb0bf
SHA256b7814cdbbd9586fbe516ce008d5ea605a4322ae8d06ea6a801cf6d4b21ae7492
SHA512707bb3d8fbe606708e725973c77507b65628274c98a5fc67a2babe8b29e422f30835ce201e335f50bdc385ee5a0c50b57f080ac53c6ca1f18a8ee8761cf0976c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\a71d6e00-fc9f-45f3-8348-e2b4431c5b4b
Filesize982B
MD5a45740849fa856d704c1c6dffd3e3701
SHA1adf24c4f5eeb0c4b853f281fb71c7edd0e6ed9c8
SHA2567dec8088988802c0a44f5123948e32911d0ecfd20e7e028b2b3f3b4676350024
SHA512fbeae0744b4b860309e0e95702e8abea463b0e59e1e7ccc18dbe0ed532046dfe3cfbae697554c575750eed93f091f2ba93f84397d7766342dca0b4d312919423
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\ee833bea-987a-411e-85b8-45a448d91dde
Filesize26KB
MD56b265892b590a76c6ab5cddf0cfb58d8
SHA1ba5db57c06bd0d103a6bfae3dbfce7bdc56a2ba3
SHA25664f2c385972046ec45646d153b90526def5db8201a986b11dc3697efb5ac596c
SHA51288ff5ffba0da59c3ed8f3f70e0be1c5e0a386b33bc606c9ba0366bed7a030652f51f42344e7b813504905bd0a072bfeb57f6d2b616adefe292423d62dd645bb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD532faf7f0ef4009cc2f6c5e47f29aa217
SHA1d36836473ce36e26d1a8b73111f9e8668a93ffca
SHA256792308b86a6c863ff70950a18bfdfdbada31408e508448c56235a89be6b9f455
SHA512f79a654b7b54d4f14e5223d831eac41e7a5d953daa5280933dca18e2fdc62e4c23b68777880cc00625a6d8377ce4f1bf1017c7710f8d0d18e03ad89918c03ea3
-
Filesize
13KB
MD5d9143f352eeeb88b239f516842f33fcf
SHA1e47cb929fe759f4ff24646dc4d8cebb2e1bdccc0
SHA25651fbcd4bbc46eb2164ab15ba19a86173328694a461dcfeb76d03ee2167b83ce0
SHA512ae498cda89b773a2085555bb9355a65fc3e5084435207485450e5b66150697376f892323d1e29c217018b47e4edd0ea0d9684832daa5548badfb6e79301fb3fd
-
Filesize
8KB
MD53a8409d3a93ed9260d1eb7f3a31fa39a
SHA1ebbb341517ebdbd4724cc0ca42fed897899f2a3e
SHA25683c122d8bf03427d73c617bbe9f2164ddee268bb26549d5b16c167b024a6f88f
SHA512a434649524024aa72ded154ffe7281ab438d5db64b5875d5c41ac52a6da77b5cdcc3f2d9a43e23cddb20d4a433ba5c5bc6c07e806d77e24db2456665f038255b
-
Filesize
8KB
MD56b6d42cc3237664dfcc44432da30aad9
SHA1d197d637484c4bb71b8dc0626e93f7e8d43008c4
SHA256bc470c39faf13a3af2afc4a2f153509432365f9d0b2c4b0198d89e6ab83923ce
SHA51256b8088a0d9c712e837bd3a903cc9da26265acef4d465846c9c1bdc674e514ee238e3f1cd87340a8f1a46691c26d7b748cdd22dbac14b8ea453a96fe1e83b6c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD51b7eeedbcc3c02ebfee7c045225276b6
SHA14c5351ed2f33fa223bccfc078db6ac89861a4f06
SHA256cc304746bc2a03d455c8af030be688ce9aae709a54dcc8490af7edd86d28be9f
SHA512f7bb671fc323b8c0adb4df7064dda763f3d8abb077c22f5010e207c4044b2ee8767b02e4fbc3ed0f391e889e0a127e4dca9781e04a6e47a77d8a7ef433481727