Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-07-2024 11:31
Static task
static1
Behavioral task
behavioral1
Sample
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe
Resource
win10v2004-20240704-en
General
-
Target
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe
-
Size
2.4MB
-
MD5
20fe4b16d13a547a5d7f4dbf543b595a
-
SHA1
3c59aca1c693efb9923f04c312fdcd47388d24eb
-
SHA256
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
-
SHA512
c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e
-
SSDEEP
49152:/rgHud6Pbzi1SlyXODTWdvT5un9ep9mwaCx6Iu7BBk:/uuwPHMSlyeWQw/a06ZB
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
AKFCBFHJDH.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AKFCBFHJDH.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeAKFCBFHJDH.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AKFCBFHJDH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AKFCBFHJDH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
AKFCBFHJDH.exeexplorti.exe12dfe4a2c0.exe978a54d8c1.exeexplorti.exeexplorti.exepid process 3008 AKFCBFHJDH.exe 2028 explorti.exe 3320 12dfe4a2c0.exe 2844 978a54d8c1.exe 3544 explorti.exe 756 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exeAKFCBFHJDH.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Wine AKFCBFHJDH.exe -
Loads dropped DLL 2 IoCs
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exepid process 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exeAKFCBFHJDH.exeexplorti.exe12dfe4a2c0.exeexplorti.exeexplorti.exepid process 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 3008 AKFCBFHJDH.exe 2028 explorti.exe 3320 12dfe4a2c0.exe 3544 explorti.exe 756 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
AKFCBFHJDH.exedescription ioc process File created C:\Windows\Tasks\explorti.job AKFCBFHJDH.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exeAKFCBFHJDH.exeexplorti.exeexplorti.exeexplorti.exepid process 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 3008 AKFCBFHJDH.exe 3008 AKFCBFHJDH.exe 2028 explorti.exe 2028 explorti.exe 3544 explorti.exe 3544 explorti.exe 756 explorti.exe 756 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1260 firefox.exe Token: SeDebugPrivilege 1260 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
AKFCBFHJDH.exe978a54d8c1.exefirefox.exepid process 3008 AKFCBFHJDH.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 1260 firefox.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
978a54d8c1.exepid process 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe 2844 978a54d8c1.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.execmd.exe12dfe4a2c0.exefirefox.exepid process 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 1844 cmd.exe 3320 12dfe4a2c0.exe 1260 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.execmd.exeAKFCBFHJDH.exeexplorti.exe978a54d8c1.exefirefox.exefirefox.exedescription pid process target process PID 3592 wrote to memory of 2000 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 3592 wrote to memory of 2000 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 3592 wrote to memory of 2000 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 3592 wrote to memory of 1844 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 3592 wrote to memory of 1844 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 3592 wrote to memory of 1844 3592 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 2000 wrote to memory of 3008 2000 cmd.exe AKFCBFHJDH.exe PID 2000 wrote to memory of 3008 2000 cmd.exe AKFCBFHJDH.exe PID 2000 wrote to memory of 3008 2000 cmd.exe AKFCBFHJDH.exe PID 3008 wrote to memory of 2028 3008 AKFCBFHJDH.exe explorti.exe PID 3008 wrote to memory of 2028 3008 AKFCBFHJDH.exe explorti.exe PID 3008 wrote to memory of 2028 3008 AKFCBFHJDH.exe explorti.exe PID 2028 wrote to memory of 3320 2028 explorti.exe 12dfe4a2c0.exe PID 2028 wrote to memory of 3320 2028 explorti.exe 12dfe4a2c0.exe PID 2028 wrote to memory of 3320 2028 explorti.exe 12dfe4a2c0.exe PID 2028 wrote to memory of 2844 2028 explorti.exe 978a54d8c1.exe PID 2028 wrote to memory of 2844 2028 explorti.exe 978a54d8c1.exe PID 2028 wrote to memory of 2844 2028 explorti.exe 978a54d8c1.exe PID 2844 wrote to memory of 480 2844 978a54d8c1.exe firefox.exe PID 2844 wrote to memory of 480 2844 978a54d8c1.exe firefox.exe PID 480 wrote to memory of 1260 480 firefox.exe firefox.exe PID 480 wrote to memory of 1260 480 firefox.exe firefox.exe PID 480 wrote to memory of 1260 480 firefox.exe firefox.exe PID 480 wrote to memory of 1260 480 firefox.exe firefox.exe PID 480 wrote to memory of 1260 480 firefox.exe firefox.exe PID 480 wrote to memory of 1260 480 firefox.exe firefox.exe PID 480 wrote to memory of 1260 480 firefox.exe firefox.exe PID 480 wrote to memory of 1260 480 firefox.exe firefox.exe PID 480 wrote to memory of 1260 480 firefox.exe firefox.exe PID 480 wrote to memory of 1260 480 firefox.exe firefox.exe PID 480 wrote to memory of 1260 480 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe PID 1260 wrote to memory of 4888 1260 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe"C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe"C:\Users\Admin\AppData\Local\Temp\AKFCBFHJDH.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\1000006001\12dfe4a2c0.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\12dfe4a2c0.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\978a54d8c1.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1856 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20431212-bf67-4a1a-a91d-bda426c97ee4} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" gpu8⤵PID:4888
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e156e7b3-4b5a-44a6-a41f-1679d9af445c} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" socket8⤵PID:3884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3176 -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3168 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ace6cbd-0933-4d7d-a57d-0af371835da9} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" tab8⤵PID:3112
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -childID 2 -isForBrowser -prefsHandle 2600 -prefMapHandle 2760 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c473927-3f52-47a6-bf7e-4496a023bb78} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" tab8⤵PID:1172
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4708 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4636 -prefMapHandle 4656 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e46f92c1-ac22-457d-8237-3504c6e3d025} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" utility8⤵
- Checks processor information in registry
PID:484 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5404 -prefMapHandle 5388 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dfedde8-8e09-4276-9730-968975364040} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" tab8⤵PID:3136
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 4 -isForBrowser -prefsHandle 5628 -prefMapHandle 5632 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c9ff399-1f28-4d8f-ad73-0e9d9cea9358} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" tab8⤵PID:1568
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e992255-12a1-4629-a481-64ebbf177e15} 1260 "\\.\pipe\gecko-crash-server-pipe.1260" tab8⤵PID:5080
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCBAEHCAEG.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1844
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3544
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s6dardkt.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5a6cdac32d2eec42a52731a411b2b536b
SHA1b3d7f74c64cc9aa37d55385c06eeeccaa289158e
SHA256bf89079ac00c7536d98f0945b77af1419d7c8cd48d57df8e779a28743946c66f
SHA512b02e14f43694c0986f1cf22cd3c35d3f40bd4eeb2eef80aaceb8ecd2540ad18bc5065d238af6eab4474cb0fd30d91074922ce0c3d0f9d103ec129ec807e796f8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s6dardkt.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD543b09351578423a00e5192ad32344b35
SHA122ceb7849f4c9bb670d09e6744032e1c55b43ed2
SHA256adf052d61a5439a63ce5031356e697810d88c73b150a62041281409e0c7cf46f
SHA51204384dc5d6bcbefb79be2971ba5378cde2d91b172cfc56a18fc459f856f236d3c0c1b4b52c61d0c1d53bf6c1bfd89a17780d5cefc6b66cb848ad7888f53eb2ec
-
Filesize
2.4MB
MD520fe4b16d13a547a5d7f4dbf543b595a
SHA13c59aca1c693efb9923f04c312fdcd47388d24eb
SHA2569be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD5b0abfe65f6de9238e3b03b6d5e115706
SHA1217ab85c40c8b968fd5193eaba20b841bb09e891
SHA25664d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
SHA51287b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\AlternateServices.bin
Filesize12KB
MD562939609759029052206c23205ff5064
SHA14aebba95a60ba6fef2360e0804369b08116b1b02
SHA256b1495134636bffdd624577a88c6960bf82af3aec0d1d71dd98084b856d60260f
SHA5120b4951fd81e3acec26851f0de35fea50afa029aceecf6b9ed410b9dcda1d4a93bfefb11db829fd2347d5837b5eb6eced65ef909fa343fcd95dc849d9c7226add
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD51818a507dac43eddc81b9a2006da0957
SHA155664072222d004ca77fc072e2c259d30f5bf227
SHA25664645acb976f1fad9a05f4a79ed142e8fd6774398bdaeb37ce85f68316066b1c
SHA512cc7291a1bcaa6dab36d054b928c8a574b0ec5ebf15bd1cb27b2785bb493c1f34f06a12b3bf46cf053eb2b6cbb8f7b5165c440a708dfdafc622b8d6e250427a3e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD53a709d981d183519a3e05b6b7e0b4f30
SHA14936b6e9e2a5e07594c55bb7f6ebcc1cf51473bb
SHA256a94305d13cb5010bd2e57a586acbb646b11e6f285d1ac413d13f54ae0917fa82
SHA512987915ff5a374a475db97d68b753be25d36bdd5a86b37bf53a9d0920b7abd9685adc489952b8a99ee5759a4349ff661c5c8ea7881c5839272639424b7aa1d62a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\pending_pings\751b8c7c-87dc-4131-b2d4-01676a1caeef
Filesize671B
MD563724a569c998da45f9f63cf57d420f4
SHA1bdb0c6c835cb0a2339e6bfe3bebc568471bc492a
SHA256c4115dce71fdd8a6294b72025ba1767d207a7ab0ed2daad5c75a33fccd75bb43
SHA512f776b3e87a5c78b4efd11a04c07d748b5c0e1acd1b29ed4f3ef3f3ec91b470e04bdb21c597a57b388e92be593507b36dd26872c046fc27e45688ffa353a330dc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\pending_pings\80cbc8ea-8c4c-4aac-97ea-5a26f63602d2
Filesize24KB
MD56a17c0cf9d206ae6cad7974071a20e35
SHA1e1413b6ad47d2d36aa6ef85b54981c7124e437aa
SHA256e9f9cdc90d7261c986df10029e43bd5d580f613e7ab2cb599214a8124d5ad204
SHA512adbbcd99d8c5a766ebe4506815f3168a64300a95f4a170c58fca923acd16dced849fa8409f5208a77db3ba80b90dba5b757640ac0b22bb7d8352498f9601d71c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\datareporting\glean\pending_pings\84e605ef-eead-4aa4-8171-3a76a925f7d9
Filesize982B
MD54f5593aa27f9ea39c11aade02c84e6ec
SHA195e0986d95ac88498d1e3b614957f0a436f1c68f
SHA256bb70cd59e82b4355559e2a0d35e4e89f40b1d61e0c253157489026fee3134282
SHA512742a1405638a56b54a024fc403c7ade1924ac484f4dc201e22be3ef1113af7c0de61503516d0354a321a66b578b8be1335a027f58a2ecdc9b4775bca3783bda5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s6dardkt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
8KB
MD51dba8958f6ca15e07676c80fb5c93723
SHA182d0f541c61b070f9bcdd21487c10e2a1d067368
SHA2566e57d523a6fd2b2b11b1fad998ebb366142a33afc5cf5e07299c9f1584b387d7
SHA5121984c5b4b195632cbf127e5f37ebee0778b4b05ada52198a5a3158d6a7c1d5f9c6580d3f00ad501499dd837b3a96284dd228bbaa933dc3a63084791fe5eca363
-
Filesize
10KB
MD55cbe90051677b36dfaa0605a6c349656
SHA1ee54b45553bbc8494244df51cdbd90d1b2bf444c
SHA256e856ab98d5924c1f28fb0a8e21f8093a4e4429e8c019abf3d4756215140ace79
SHA512799b8fbf3acd0b68a5db65c88f2e1f280c9beaa9693ea1afce6c2a764f0daa26bbcf2289d5e70f60bf5aad49cabf3d30cf82ce1ddbf027bec1ea340355e0c8db
-
Filesize
13KB
MD505f0a7735dc28949127326cef5aa420e
SHA187b9122c23e840b8600621213aab7a31cbdb266c
SHA2562fbe867f38d8ef9d6a4fc404a08c6a48e029efc0b6d271250a4d88caed583fb4
SHA51298c58a36ad98393ccaf8ddb5deaf1939996b8946486412ee8f5e9cba3508c37ff9c4323aa0407efa8c9227d2cf1e01a055e3ae20e0a3826c97ee0f97476c4a2d
-
Filesize
8KB
MD561adf904db4ef752ae2141c4a704c964
SHA1dc279781ccb929f260bd1cb8f8515b8e1167ba4f
SHA2563389a5d4a5cf11ec4c1886cac591f987f93d64787586f25540dddb37242f9e57
SHA512c5abc079aa33de5c37fdd3d6e5e08e80862a91b5e4c5e77269dcfdf75a589a46d3033aaf4b1e3152725b4b649f4d4a73b0a52d89fd0591cfb203b73ae60d548d
-
Filesize
8KB
MD5640d68c3e1cb2fa84d7798cce5ebf112
SHA18886844ca2ca8c4bdd4f7b14469f39e73b03c893
SHA2565825160fecd0ff6e05aab7aae659a132f16646263cfe2c4b20e264786bd78f67
SHA512e8c523912a81450b8c2ba23e10b68c3c400f9a64126c162727667ea4fb9c843c5ca2a215e91e38e0cce81f74884bb7793651fab4bc9139864bf237f406029e40