Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 14:29
Static task
static1
Behavioral task
behavioral1
Sample
506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe
Resource
win10v2004-20240709-en
General
-
Target
506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe
-
Size
1.9MB
-
MD5
552d0051de12f8651ce6d95f6870300f
-
SHA1
56c854d8a0d157c4759f64d9d5f04062479ebf67
-
SHA256
506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d
-
SHA512
237a1e1984465e15fd6613744cd6032628283430089ef2347568f772a9d193a7ffa309e037f6d840808f9d71bf38a5567e7ca43dd78bb7315a6da5fa6a4f4e39
-
SSDEEP
49152:Qs2BaF6Ad/MLHMutzShKcejb3a698erXN3syKEPqF:6gSNwejTaG8EZTKES
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exeexplorti.exeIIDHJKFBGI.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IIDHJKFBGI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
IIDHJKFBGI.exeexplorti.exeexplorti.exeexplorti.exe506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IIDHJKFBGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IIDHJKFBGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exe506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exeexplorti.exef23e5f8a6a.exe097f49198e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation f23e5f8a6a.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 097f49198e.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe097f49198e.exef23e5f8a6a.exeIIDHJKFBGI.exeexplorti.exeexplorti.exepid process 2940 explorti.exe 2364 097f49198e.exe 4568 f23e5f8a6a.exe 440 IIDHJKFBGI.exe 720 explorti.exe 4676 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exeexplorti.exeIIDHJKFBGI.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine IIDHJKFBGI.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
097f49198e.exepid process 2364 097f49198e.exe 2364 097f49198e.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exeexplorti.exe097f49198e.exeIIDHJKFBGI.exeexplorti.exeexplorti.exepid process 4364 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe 2940 explorti.exe 2364 097f49198e.exe 2364 097f49198e.exe 2364 097f49198e.exe 440 IIDHJKFBGI.exe 720 explorti.exe 4676 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exedescription ioc process File created C:\Windows\Tasks\explorti.job 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
097f49198e.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 097f49198e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 097f49198e.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exeexplorti.exe097f49198e.exeIIDHJKFBGI.exeexplorti.exeexplorti.exepid process 4364 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe 4364 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe 2940 explorti.exe 2940 explorti.exe 2364 097f49198e.exe 2364 097f49198e.exe 2364 097f49198e.exe 2364 097f49198e.exe 440 IIDHJKFBGI.exe 440 IIDHJKFBGI.exe 720 explorti.exe 720 explorti.exe 4676 explorti.exe 4676 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3232 firefox.exe Token: SeDebugPrivilege 3232 firefox.exe Token: SeDebugPrivilege 3232 firefox.exe Token: SeDebugPrivilege 3232 firefox.exe Token: SeDebugPrivilege 3232 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exef23e5f8a6a.exefirefox.exepid process 4364 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
f23e5f8a6a.exefirefox.exepid process 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 3232 firefox.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe 4568 f23e5f8a6a.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
097f49198e.exefirefox.execmd.exepid process 2364 097f49198e.exe 3232 firefox.exe 3680 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exeexplorti.exef23e5f8a6a.exefirefox.exefirefox.exedescription pid process target process PID 4364 wrote to memory of 2940 4364 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe explorti.exe PID 4364 wrote to memory of 2940 4364 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe explorti.exe PID 4364 wrote to memory of 2940 4364 506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe explorti.exe PID 2940 wrote to memory of 2364 2940 explorti.exe 097f49198e.exe PID 2940 wrote to memory of 2364 2940 explorti.exe 097f49198e.exe PID 2940 wrote to memory of 2364 2940 explorti.exe 097f49198e.exe PID 2940 wrote to memory of 4568 2940 explorti.exe f23e5f8a6a.exe PID 2940 wrote to memory of 4568 2940 explorti.exe f23e5f8a6a.exe PID 2940 wrote to memory of 4568 2940 explorti.exe f23e5f8a6a.exe PID 4568 wrote to memory of 548 4568 f23e5f8a6a.exe firefox.exe PID 4568 wrote to memory of 548 4568 f23e5f8a6a.exe firefox.exe PID 548 wrote to memory of 3232 548 firefox.exe firefox.exe PID 548 wrote to memory of 3232 548 firefox.exe firefox.exe PID 548 wrote to memory of 3232 548 firefox.exe firefox.exe PID 548 wrote to memory of 3232 548 firefox.exe firefox.exe PID 548 wrote to memory of 3232 548 firefox.exe firefox.exe PID 548 wrote to memory of 3232 548 firefox.exe firefox.exe PID 548 wrote to memory of 3232 548 firefox.exe firefox.exe PID 548 wrote to memory of 3232 548 firefox.exe firefox.exe PID 548 wrote to memory of 3232 548 firefox.exe firefox.exe PID 548 wrote to memory of 3232 548 firefox.exe firefox.exe PID 548 wrote to memory of 3232 548 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe PID 3232 wrote to memory of 3336 3232 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe"C:\Users\Admin\AppData\Local\Temp\506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\097f49198e.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IIDHJKFBGI.exe"4⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\IIDHJKFBGI.exe"C:\Users\Admin\AppData\Local\Temp\IIDHJKFBGI.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\f23e5f8a6a.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adccaf22-0dca-4f5d-aefe-d99ff385d5ea} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" gpu6⤵PID:3336
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32761125-702a-4cae-92a3-8bff37e60a8b} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" socket6⤵PID:2116
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3332 -prefMapHandle 3492 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f06f103-d8b8-4a79-ab61-f2408ef46a32} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" tab6⤵PID:464
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -childID 2 -isForBrowser -prefsHandle 3828 -prefMapHandle 3824 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {662e66a4-2cd7-4fb4-8a99-959cb473bf0f} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" tab6⤵PID:4344
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77e1bbc7-5723-4ceb-81fb-19d57c8ac434} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" utility6⤵
- Checks processor information in registry
PID:4696 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 3 -isForBrowser -prefsHandle 5528 -prefMapHandle 5084 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a03358ec-acad-43bb-b8d5-93cb586ceeca} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" tab6⤵PID:1000
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 4 -isForBrowser -prefsHandle 5668 -prefMapHandle 5672 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64899ead-91b4-4fba-ba93-9074db9f7471} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" tab6⤵PID:1620
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5880 -prefMapHandle 5884 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a239d5ff-6df5-4533-9579-d77056cf4219} 3232 "\\.\pipe\gecko-crash-server-pipe.3232" tab6⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:720
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5424c1bc416fc53995be1d9433fb203c6
SHA19d97683626b580eef923c913ebb0da911ba9ad01
SHA256f1bf95969c219674de627bf6274bec2bce48a09409e5c0309af4dc91f39a1298
SHA5128d735aed6a1d3cbea36c676f492b8ad6f05d1c3a5fd9a273dc724a89a438cecdb734e9b6781daff5771278d8c0092a3bbf0c2fafd8ec5746f120f045c14bfdb5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85t3rifc.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5a5b2256d54ff785e3e823b083df82084
SHA12b0406cf58f45b0a70b7f7fb93db71ddc9dcaf34
SHA2560908ef02c4a8c24298acefa82bdd8b3b8d6fd87235dd663ba136b19f36261418
SHA512b68cbb8b8d1d7ab614a398c3ffde4465b6922e636e2dfd2d11ed6c1a6d90203685d47378a6ff08ab7c056dd2a5cf61abae8de9da9a4bee8e23fa1f2644f6ec2a
-
Filesize
2.4MB
MD520fe4b16d13a547a5d7f4dbf543b595a
SHA13c59aca1c693efb9923f04c312fdcd47388d24eb
SHA2569be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.9MB
MD5552d0051de12f8651ce6d95f6870300f
SHA156c854d8a0d157c4759f64d9d5f04062479ebf67
SHA256506b84d7ea907558930b75f07f5d06d0779323730af6ac3989921129c78b3f0d
SHA512237a1e1984465e15fd6613744cd6032628283430089ef2347568f772a9d193a7ffa309e037f6d840808f9d71bf38a5567e7ca43dd78bb7315a6da5fa6a4f4e39
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin
Filesize17KB
MD5dbc2b90b4f09e35d2f89946b92e33793
SHA1062720d4b4a89751d99010f01564da2ce8bac02a
SHA256df2545c79686283667e3c8c6f49635b00bf1a9be2581afaff8522219963b7c66
SHA5121c7bb3ea3ff6eb6800f82e32b1932d7f08cda928dc528a30e4263fe6cc7cf865a380049592edaa48aeb18e667928f026a8c5a0c415f82c80c669aa7a0a10d2a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin
Filesize8KB
MD56561c01ce2f0a56f16bc6911460b323a
SHA1657f2eb546fb9c64157b40664080bd3d7e89d3a6
SHA2562174ff2d6526e76722cf64d5a24171bb8e54b3eca9b0b24174fa4dc7ec3b65bf
SHA512f67e4653f1b38a9645047398f0839e3d1c23adcb210deb84f891c21cd9c0439d396f711750516f24056d559360d6724e4dacd8f69724751c9f91f8f687385bd0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\AlternateServices.bin
Filesize11KB
MD5d757a67b7d40830d171843c20f1c81d9
SHA1e994cc3a46fa09cba99380989d24eba6b9e1901b
SHA25624ae8280546e0d329e93af1986ac128da4157f601a94de2905c8d54a073b3db0
SHA512bdb88b6f678a5274467528f6a92e872a5a2acc6096a2c15f5556a6d0ef4dab6090b75cb1f3f8be7ea4d597b06ed968c8a5e61f7920cc98dfee06a78e91dde184
-
Filesize
256KB
MD58f1824c2de9b78877645dac55862743e
SHA1e7a74ae6e6de07211c135a0a8a62cf8d61ff105c
SHA2564d0152f065c127d2783a664860f614dba9edcd6fd6b065353f142fc4689c933f
SHA512c6674bafdb39da14a310f556594d46ae89f567d2ebd22734f0d89bc4670295447852fb9ad3f63eea739e2ab4112f100a75754a026e997d927f5b5516935017fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5bc13cc7939a0b3524a8058e274d37e1c
SHA175fa9a9c3be41bdd5122c21b0fe92faca88a345b
SHA256376f3b2063dd76f8dc1b56e90a47197ce14c91d4fd29b885af9ec93eeb4bea41
SHA51279b5123de65d34dd053aa6c99f776ba1a3975cc83787457487ce08bf98334b920c287f9459b007ee514335d91225d3e0e387cbb96324af03d14790f0c6569344
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD551ef54a64bdc32b8b399af3ea32eee5a
SHA18ca05ee55fe95b92fc70e79ffa726a6a1d32ed90
SHA256b463b946aa96f24735e753aa938c08130d9e9625b95f6d360afe0fd4c2fb057f
SHA51205afaad8e6f83e045e98b48e570fc5e24177265846940c73f07f8969dd380d780440b235da7e299ad49261af68bc15ff7e054c5937e619fe193d947e8d7679d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD57e6646cc81aa4f3362198f69965977de
SHA1fd324c12ad28aee90141c042f5a10c80421d8f1a
SHA256422099c4dcefc2c2987165d183faa8b1c23692ad5a67814ddd675ad7713f8455
SHA5121fe53c2bc796f9ed07be1a0c36c85bfa47ecdddeb3e7d6c98627a2c4a3348f39bc9755dfc76958e40b4020f0a19d4f26f3bb7e7f4a9c1686049e57add2426675
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\1f5714a5-0828-4cd7-9322-1b7404052b1e
Filesize27KB
MD5734a462e4d7e6857ccca0aac3617b697
SHA14661a2e5255d72ee4ba134e88e703654ad2dbbac
SHA256e33df52c46e4b8bce603201410649065cd9bbfb60d50025e47f7b8169405cdaa
SHA51288f97e1af0a2eb1c0a0e9406240c415180ff0ae797609c1a43e2934b869a148519a43ae692b6c837e085b35f3e6a3691fb07a8400967cfdc0c7b32bf9aece90d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\5b907a58-c65a-4ae8-8b7f-5e6feedf614e
Filesize982B
MD563890e1bac15958b04f51c72604ad8c6
SHA179e9dac31caa29a6558f7423fa4e7d7ac34f34ca
SHA2560d3fe2125bb6d76e763efc66fbaa58d33ce59df21b5023ab243d87d58d533df7
SHA512df99efee9d4c7bec8ff32497ae8d3e319fc17a814a5acda188d7f533ce9f6113bd3e7b7467bdfea2559a13ca16091e6c1823728e1e08bb7af00fe1cee25a4693
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\datareporting\glean\pending_pings\b92c8baa-62b5-41e0-a107-34f1138b0aca
Filesize671B
MD5e6c41a3f446a518752731189cea2ee73
SHA1960629c2b62f50680502282952320212adc71b06
SHA256a92c768891142cc50ca953e04536a8f2e3c845a07e8f2812532af35258de07e9
SHA512c3d5da9d486ac8a0eb0040eb63f029bb8ec0ac01ced3f1bdb8ef36a1b85f28a37efd14672d7ca3ec392d5fa1d769882848e62242376afaf6eaa68e5fb55d8e36
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85t3rifc.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD5919c21cb2359decf8074f2378bcabb54
SHA13cc39a98f390f9317109b7fc32b79bfa7fa53f88
SHA256b03119712ae80ece048d2f17fbb65b6c1f107a7ea9d42505f0ac070b3dd6f9e7
SHA512a3f95d463cb4731ab7b6ddb80d1ccd6a323a85c52bcc1c5541b82feab6bc87aa92c387067cb62e613e72cae1fcbae0e82816b3119ac7b034aaf60bf4497437d1
-
Filesize
10KB
MD5a5d6927a4cb298a0439e9193fa537b83
SHA12435165b1c8e4f81005ea40caa7a2827def1e8b1
SHA256c09158d0f99ef137c10d9d98a7e31166f36d18c1662160383bab57fb69dbec52
SHA512e7887a123257fd96b723ac171f91d2c7d14651b4547269b5d4c7347b2424a14a1722b6ae88208f9b7c4ec75ed5506827e8ea74fde10c9cee885775c2b5a84d02
-
Filesize
13KB
MD5a1d3384bc7d6387dbf0463e41d161d76
SHA1029543d3aea689e1912b95d55d01e8059cbe341b
SHA256fbc53430e34ef281defc49f6d1df3f3e246fadfe60f5eb3ac705eed65c2ec159
SHA5128e00ce3e463a77027617b7a15d1e0568e62181a43f060cff4072f91b5be36160e17ce6e98f848eb9dfb46d4e924e642d62c376cf2c620636b8513d4d2defab9e
-
Filesize
8KB
MD5f2c110fd78a08e802cfdf3393d85e374
SHA1e68fd5f946ad03da16b311ba117b3782116e8a33
SHA256f3990a62b466c393af4f8b265b17d610c3fb0d57aaecc5f6b0584fa8b42b925b
SHA512f1bd75df7ca5a1a6cfecf8c961486bf5081e8d60dcffae610038396bb926850d101641b5bdbb1c43e8e830976ad396c4cbe7771a9a07ee580fc0d1c9c0967b2a