Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 18:15
Static task
static1
Behavioral task
behavioral1
Sample
ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe
Resource
win7-20240708-en
General
-
Target
ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe
-
Size
1.8MB
-
MD5
c21e9030716bbf545c1a6aed23780cb9
-
SHA1
7e870d396ba3c4e05a942f1d5834e8ef0e102ef1
-
SHA256
ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee
-
SHA512
f40f08872ed7add791b3c8f5b5d09e670b131e64eaa837b77ceaa198c4fbd3b1ac843cd7744fd29eebc654c730560a07840ae5dd333d1ffd591d6524a96500bc
-
SSDEEP
24576:GjrY6m/AlvTGs5A5D1YkvSUPqEmP1bVJXHYiGGMco9fxLx1mEpZk1hfv+GTyFxJB:GYAlbhKZ1YkuE2gE+fxL2r+zWLq
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeexplorti.exeexplorti.exead19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exead19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exeexplorti.exe3c93f2cb4e.exe8e7bc7805a.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 3c93f2cb4e.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 8e7bc7805a.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 5 IoCs
Processes:
explorti.exe8e7bc7805a.exe3c93f2cb4e.exeexplorti.exeexplorti.exepid process 3796 explorti.exe 5000 8e7bc7805a.exe 5020 3c93f2cb4e.exe 3992 explorti.exe 3848 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exead19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe Key opened \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
8e7bc7805a.exepid process 5000 8e7bc7805a.exe 5000 8e7bc7805a.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\3c93f2cb4e.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exeexplorti.exe8e7bc7805a.exeexplorti.exeexplorti.exepid process 3996 ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe 3796 explorti.exe 5000 8e7bc7805a.exe 5000 8e7bc7805a.exe 3992 explorti.exe 3848 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exedescription ioc process File created C:\Windows\Tasks\explorti.job ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exe8e7bc7805a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8e7bc7805a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8e7bc7805a.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exeexplorti.exe8e7bc7805a.exeexplorti.exeexplorti.exepid process 3996 ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe 3996 ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe 3796 explorti.exe 3796 explorti.exe 5000 8e7bc7805a.exe 5000 8e7bc7805a.exe 5000 8e7bc7805a.exe 5000 8e7bc7805a.exe 3992 explorti.exe 3992 explorti.exe 3848 explorti.exe 3848 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2508 firefox.exe Token: SeDebugPrivilege 2508 firefox.exe Token: SeDebugPrivilege 2508 firefox.exe Token: SeDebugPrivilege 2508 firefox.exe Token: SeDebugPrivilege 2508 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
3c93f2cb4e.exefirefox.exepid process 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
3c93f2cb4e.exefirefox.exepid process 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 2508 firefox.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe 5020 3c93f2cb4e.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
8e7bc7805a.exefirefox.execmd.exepid process 5000 8e7bc7805a.exe 2508 firefox.exe 64 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exeexplorti.exe3c93f2cb4e.exefirefox.exefirefox.exedescription pid process target process PID 3996 wrote to memory of 3796 3996 ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe explorti.exe PID 3996 wrote to memory of 3796 3996 ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe explorti.exe PID 3996 wrote to memory of 3796 3996 ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe explorti.exe PID 3796 wrote to memory of 5000 3796 explorti.exe 8e7bc7805a.exe PID 3796 wrote to memory of 5000 3796 explorti.exe 8e7bc7805a.exe PID 3796 wrote to memory of 5000 3796 explorti.exe 8e7bc7805a.exe PID 3796 wrote to memory of 5020 3796 explorti.exe 3c93f2cb4e.exe PID 3796 wrote to memory of 5020 3796 explorti.exe 3c93f2cb4e.exe PID 3796 wrote to memory of 5020 3796 explorti.exe 3c93f2cb4e.exe PID 5020 wrote to memory of 4540 5020 3c93f2cb4e.exe firefox.exe PID 5020 wrote to memory of 4540 5020 3c93f2cb4e.exe firefox.exe PID 4540 wrote to memory of 2508 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 2508 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 2508 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 2508 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 2508 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 2508 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 2508 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 2508 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 2508 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 2508 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 2508 4540 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe PID 2508 wrote to memory of 3052 2508 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe"C:\Users\Admin\AppData\Local\Temp\ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Users\Admin\AppData\Local\Temp\1000006001\8e7bc7805a.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\8e7bc7805a.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJDAKFBFBF.exe"4⤵PID:1728
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DBGIJEHIID.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:64 -
C:\Users\Admin\AppData\Local\Temp\1000010001\3c93f2cb4e.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\3c93f2cb4e.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba3bb904-0059-458b-a72e-d6d4f879930a} 2508 "\\.\pipe\gecko-crash-server-pipe.2508" gpu6⤵PID:3052
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {714d4b80-2c07-4809-ab2b-ec6987b4deb0} 2508 "\\.\pipe\gecko-crash-server-pipe.2508" socket6⤵PID:3184
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3152 -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3132 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {631df46b-5963-4168-a2fe-c2ad53be6135} 2508 "\\.\pipe\gecko-crash-server-pipe.2508" tab6⤵PID:3088
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3220 -childID 2 -isForBrowser -prefsHandle 3848 -prefMapHandle 3844 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d96e7155-576a-423f-ab49-b704c57cea10} 2508 "\\.\pipe\gecko-crash-server-pipe.2508" tab6⤵PID:3564
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4636 -prefMapHandle 4748 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92726125-18ef-4406-8eff-604f49b12330} 2508 "\\.\pipe\gecko-crash-server-pipe.2508" utility6⤵
- Checks processor information in registry
PID:5176 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 3 -isForBrowser -prefsHandle 4656 -prefMapHandle 5484 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6959a5f3-254e-4263-9ffd-d1c4721ab98d} 2508 "\\.\pipe\gecko-crash-server-pipe.2508" tab6⤵PID:1620
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 4 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad6d9095-a34d-46b7-a98c-9e855c9f4b9a} 2508 "\\.\pipe\gecko-crash-server-pipe.2508" tab6⤵PID:1152
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 5 -isForBrowser -prefsHandle 5816 -prefMapHandle 5820 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edb03734-46ca-4770-9bb5-5b340bfdc30e} 2508 "\\.\pipe\gecko-crash-server-pipe.2508" tab6⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3992
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD58b9ec3230dec812e0b1a76817f14e41a
SHA1befcfe4157fc06abb0df860ba51ff75ce0795dc7
SHA2565f5ade1656498555922c83c1109d1a41cba78927b00c7d196ae9da778d3026ea
SHA5122e42a777a1a653e75ccc96375bf0153a1b5e4d4918feaf6f5ba224a79ebdcc596933b3556f47210adb80f64321c0b0285f9da677cec4a64c4222a723062bfa42
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5695a51a726b1bede7772e4e16703eedb
SHA173424266b7b1d39002c2c89cfad0fb9bafac77ac
SHA2561997c0a5c8cd05544bb6111bbe32e8fbf411549137b10ae6ffbc0548088c1747
SHA5126a9a386163734176434c6c8ff345a48ef61755c89c196aaa9f41745f60cfc4e873cf36b9322474046b45cef1c5199ea77df6f44964046d7750987b53f98e0fc7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vvc8bff9.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD558167cf705e4f1d4092bbc7ddf4736ef
SHA16e2939f418d8f99e3656d62197fe8c402fd1767a
SHA2562483e9ecd57ca8fd9bb218405866447f941eff0fdc19c3c072a834f7176b5680
SHA51203df6772f1ca4011f2b1e133306b8318521715df113cd13476f86e4cde1ea9ef71e42510a124a84535eeb3f768077908bfd95a4047011b477a1bb969a4f07391
-
Filesize
2.4MB
MD5b4ebeb2d1f4ae644c919c3a70b120b83
SHA1a5cce77670e8bd84b6114f91bf775b85e25458b7
SHA256f6bd9644cb568ce7f7ca4bf2dacf352472b36d656735c1eafe97191a5dac6c7c
SHA512029efcf89ae423379f10d2999a8861f439ea7fc492c2b359b6740e771b8ad95518b5cc49c53d6d3b9967e0b138d2adc65ef0227856d1b426e9e780ec0bc321ff
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
1.8MB
MD5c21e9030716bbf545c1a6aed23780cb9
SHA17e870d396ba3c4e05a942f1d5834e8ef0e102ef1
SHA256ad19679fc29e8a399dbb3d9f80d5cd9284d22140b05ac66e501b2e6c1596e4ee
SHA512f40f08872ed7add791b3c8f5b5d09e670b131e64eaa837b77ceaa198c4fbd3b1ac843cd7744fd29eebc654c730560a07840ae5dd333d1ffd591d6524a96500bc
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\AlternateServices.bin
Filesize11KB
MD51288415a45c9d823f7a030ac72f16b88
SHA179bfc70787ec12413d0d77512491e5950ae83364
SHA256eb51c56b483aefe3b87017459063bea6fe2c7490c3d9ccf45dfd65f8d522b8ea
SHA5127e312631de758926acdff28ab9e2019490a01540cb904c4c6453530343b8b00c73333f655f64b1e921ae0844b873f8da718878ef0953598c9371aa78682584bc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5df98e7504cb38ad0c253433c7b0dfbcf
SHA17f52bdc0b57974b1ff01c41dd04e3301034c8764
SHA256569fa8af641f0d4babfa3bbc63e0beac4ef285e6051a57853cac47bd15b609a1
SHA512bafec5d9460719ba60a15891c7cdc8055ca90e1f6307969dde8433bf8160912a8268cbfa0b738e0ad3908c57fa2bc6b7389ade8f0db2556cde8f3fba68fd1380
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp
Filesize30KB
MD52ecdafdebef17a5685cc7ebf51276f76
SHA1142085f5ddb35fd2512f6797b4211b6eb0c4d7e6
SHA2563ac683e3fdbe0193bec53c63b3b52b46aa24ef83684c9c5278064715b03c8bbc
SHA512dbf4a986a3461f178f6b05ce479be6021c8f973c7cda3107671fefffa659c83f950fd69e4afff2e8aad6b14c08ffd2328ffd1871d336204885ad714324fe7fdb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\db\data.safe.tmp
Filesize31KB
MD51320ac08064d95b314dc1c56a4f5fc94
SHA13c374ce7891dabf3b18d2b938c3d2c2727ba6dff
SHA256ab1ead28c316afb99c837ecbb46840629ef8d8307c3f1e87b5471c95a3bfbe55
SHA5127655089a55412ffe7103adc9a5afcbfaf07c2af503f4b20978b1a19a44cf1141f599a7d6455ae655148e858d4343771fa18112aee4cfe1a0ef6d91f912f1e377
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\pending_pings\4efa5776-8b00-4f32-980b-0ffba3a6065a
Filesize671B
MD5f335e5dc55c69801d9a2997efa2ef06a
SHA1a9738e8c848c826a5c42ae3b60c66f2ef4e75846
SHA2562a243001e2669a8967c6bfac7733972b2764310c355a72420620aa5268c14f21
SHA5128d659c667b2fc6c1774ff7910a67d5bc3ea8632b35fc40fe13c7e474b54b19535f9991fcfe4845515d8dfe33b246811c07cf1467819ed641fd04ad2e0325abb9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\pending_pings\e31f6fc8-e571-45fb-a977-adaac45e8591
Filesize982B
MD597541189ce2a5ec05db57348754772eb
SHA12cbcbee3d61e40bfaae1f27b4554c251b93414b0
SHA2562b2efb8d247338eccb32eafb53d5a55fc93a39171eb4f589124f31912843ed0f
SHA5126470fb1b2397a8f77a491d43a211d223b8e9875f12c11ded9e8175e3dcbeca268da53f452c48f7681b390d8b3ab8c8ad68e4e6dfbb14ea262894c543196033eb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\datareporting\glean\pending_pings\fcdaa66b-0283-43d6-ae68-558e447feefa
Filesize28KB
MD5d4ecc6dbb7c96be380dce6877eb048d4
SHA167bdeade218ecb78c1f5e3f3cd8bc1c2c5d6aa5b
SHA2567c113e17611e10d931c55bf99271a771ffd31f1c547993f5a70024ea8efcc9f2
SHA512ad5260cfe5d6298f05e18c6b3f81055cdfe72f5bdd70a5592306e60fa83f8b1f9845546c9f030082322c2e77038f4ee9e9afa80ffb1ac194a11e69a56ee4f3cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD5ee4e18ce9ce52f8acb093e193c65246d
SHA1bfdfc0c8771853cfd18cf75c5bae97c2c354ec84
SHA2566fbb5bf901972a6362e011c367e17f350bdbd92bed61eb1ee697b58304772f18
SHA512dbeac15cb228546941cbf3f374467e7b33a107a251bfc25e1e33ee68be4b15b9a6cc61c78062a01b7249d2620f49c953928bb1d5a64dfa77af25f0225d7767bf
-
Filesize
13KB
MD5a6fce0c5e85f54e90e06f54e454b62a4
SHA10ccade7a15f9a12423eea64d43bfb60b55c5905d
SHA256a0a1196cdc745cfcce5d0fca9fe1ec8b2f6d6778db772b077ec1c4627cedc730
SHA512d900d0c5fbdc2049e2eff1b67f08665fe64c9b32418b125bd231309574293e571d8e77972695285511f07dd1325832a19f09000de9a4950c8d6cb9f06de0f7d9
-
Filesize
16KB
MD5f307d5ff15a6324576149f50e72856a3
SHA11341d66c2b2419b595aa4492e06f2c694b5b4552
SHA2566b5a0ef36596d5944808b0bae2cbd81e086dc0ead3ec3ccfd961e05210bf0028
SHA5124fe5086f60ea9d3e05022791f285f824b50baa8bdf154f7d6d36541bd0ceec68c251cb32f21a051cc9f8329e90f0986cc4e5d56f0336baf913ac027f403f36e1
-
Filesize
11KB
MD575ac1445181e95943054044bbf9b535b
SHA139de1d335d0f18f9bba6018279e7afb8bb393a2b
SHA256dbcc2bc6ae2a486e2de1b5f6bf86cc018c19debfd1ecd6280b9c733f506ee4c9
SHA5126598bfc4d972c458a9fd46f4f6baffad8ab589660ea38a4991fbb1058e37828019725e02dd5efd1ee45a023f8ced01cded21b094eca8e4277c0ee8cb54388b8e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vvc8bff9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5a805667237630c370a61f6b6030d0418
SHA18b4f224f0a87318549dcdec8b0ff16261c942edf
SHA2565a416a2a6676bcd7c9e4410316fbbe3e23b541a735fd11216b4be9cd345972d9
SHA512ea771baf15754c9995ae9f5effda0896e2615d9f188a63c0f7e80d023633a96dd09b5ba89f6026f8e717747ec915b26053547b547a60fd9c1b4d68e36b00da86