Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-07-2024 23:48
Static task
static1
Behavioral task
behavioral1
Sample
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe
Resource
win10v2004-20240709-en
General
-
Target
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe
-
Size
1.8MB
-
MD5
b5e7797b2a49edf96b67c1040b301e45
-
SHA1
bab8594d3af5eae8b2918c9d3a6c1811957c489c
-
SHA256
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701
-
SHA512
46c8d1555ba6ace3f911df9a3c00d9802e3a021c3d3465c006b6f6d36e3e605f8ab74f3cb31ca77f7455a63859e9664e198246e1c2cb4994b695cb1a0ff4f0ba
-
SSDEEP
49152:HNOk8gUv3yUbpoJ5weZAFf3uHyGo++tonC:t98g01bpNb3uyoJn
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exeexplorti.exeexplorti.exeJEBKEHJJDA.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JEBKEHJJDA.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exeexplorti.exeJEBKEHJJDA.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JEBKEHJJDA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JEBKEHJJDA.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exefc4cdd3117.exe85b0d4518c.exeexplorti.exeJEBKEHJJDA.exeexplorti.exeexplorti.exepid process 1976 explorti.exe 5044 fc4cdd3117.exe 3488 85b0d4518c.exe 3196 explorti.exe 3828 JEBKEHJJDA.exe 3748 explorti.exe 4012 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeJEBKEHJJDA.exeexplorti.exeexplorti.exe711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine JEBKEHJJDA.exe Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe -
Loads dropped DLL 2 IoCs
Processes:
fc4cdd3117.exepid process 5044 fc4cdd3117.exe 5044 fc4cdd3117.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exeexplorti.exefc4cdd3117.exeexplorti.exeJEBKEHJJDA.exeexplorti.exeexplorti.exepid process 4968 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe 1976 explorti.exe 5044 fc4cdd3117.exe 5044 fc4cdd3117.exe 3196 explorti.exe 3828 JEBKEHJJDA.exe 3748 explorti.exe 4012 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exedescription ioc process File created C:\Windows\Tasks\explorti.job 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fc4cdd3117.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fc4cdd3117.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fc4cdd3117.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exeexplorti.exefc4cdd3117.exeexplorti.exeJEBKEHJJDA.exeexplorti.exeexplorti.exepid process 4968 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe 4968 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe 1976 explorti.exe 1976 explorti.exe 5044 fc4cdd3117.exe 5044 fc4cdd3117.exe 5044 fc4cdd3117.exe 5044 fc4cdd3117.exe 3196 explorti.exe 3196 explorti.exe 3828 JEBKEHJJDA.exe 3828 JEBKEHJJDA.exe 3748 explorti.exe 3748 explorti.exe 4012 explorti.exe 4012 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3312 firefox.exe Token: SeDebugPrivilege 3312 firefox.exe Token: SeDebugPrivilege 3312 firefox.exe Token: SeDebugPrivilege 3312 firefox.exe Token: SeDebugPrivilege 3312 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe85b0d4518c.exefirefox.exepid process 4968 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3312 firefox.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
85b0d4518c.exepid process 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe 3488 85b0d4518c.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
fc4cdd3117.exefirefox.execmd.exepid process 5044 fc4cdd3117.exe 3312 firefox.exe 4596 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exeexplorti.exe85b0d4518c.exefirefox.exefirefox.exedescription pid process target process PID 4968 wrote to memory of 1976 4968 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe explorti.exe PID 4968 wrote to memory of 1976 4968 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe explorti.exe PID 4968 wrote to memory of 1976 4968 711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe explorti.exe PID 1976 wrote to memory of 5044 1976 explorti.exe fc4cdd3117.exe PID 1976 wrote to memory of 5044 1976 explorti.exe fc4cdd3117.exe PID 1976 wrote to memory of 5044 1976 explorti.exe fc4cdd3117.exe PID 1976 wrote to memory of 3488 1976 explorti.exe 85b0d4518c.exe PID 1976 wrote to memory of 3488 1976 explorti.exe 85b0d4518c.exe PID 1976 wrote to memory of 3488 1976 explorti.exe 85b0d4518c.exe PID 3488 wrote to memory of 4216 3488 85b0d4518c.exe firefox.exe PID 3488 wrote to memory of 4216 3488 85b0d4518c.exe firefox.exe PID 4216 wrote to memory of 3312 4216 firefox.exe firefox.exe PID 4216 wrote to memory of 3312 4216 firefox.exe firefox.exe PID 4216 wrote to memory of 3312 4216 firefox.exe firefox.exe PID 4216 wrote to memory of 3312 4216 firefox.exe firefox.exe PID 4216 wrote to memory of 3312 4216 firefox.exe firefox.exe PID 4216 wrote to memory of 3312 4216 firefox.exe firefox.exe PID 4216 wrote to memory of 3312 4216 firefox.exe firefox.exe PID 4216 wrote to memory of 3312 4216 firefox.exe firefox.exe PID 4216 wrote to memory of 3312 4216 firefox.exe firefox.exe PID 4216 wrote to memory of 3312 4216 firefox.exe firefox.exe PID 4216 wrote to memory of 3312 4216 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe PID 3312 wrote to memory of 2320 3312 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe"C:\Users\Admin\AppData\Local\Temp\711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\1000006001\fc4cdd3117.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\fc4cdd3117.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JEBKEHJJDA.exe"4⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\JEBKEHJJDA.exe"C:\Users\Admin\AppData\Local\Temp\JEBKEHJJDA.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGCFHDAKEC.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\85b0d4518c.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a353cd9-634b-4217-ba96-a0d95fbfc956} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" gpu6⤵PID:2320
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2272 -prefMapHandle 2192 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {952d8aff-93a7-4fda-9bd0-3a1b5b0c9676} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" socket6⤵PID:756
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3300 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3148 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1368 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70760208-cecc-45d3-a97b-231872bb2891} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab6⤵PID:4140
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3972 -childID 2 -isForBrowser -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1368 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c40aea27-7f0c-499d-ad24-6db3ea9b51a3} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab6⤵PID:3776
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4856 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4848 -prefMapHandle 4844 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd99c800-e0a3-4169-a54c-9fb765424a82} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" utility6⤵
- Checks processor information in registry
PID:1964 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 3 -isForBrowser -prefsHandle 5508 -prefMapHandle 5452 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1368 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7768b288-b3bb-4dfc-9b27-e8a071d4646f} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab6⤵PID:236
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 4 -isForBrowser -prefsHandle 5652 -prefMapHandle 5656 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1368 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {798f52c4-3601-4b58-88c6-6415635bfd1b} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab6⤵PID:5020
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1368 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e33eda6-39dc-4277-b0f6-ca967edf4e4e} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab6⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3196
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3748
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5c72f1bb58f96184a77408eb1796eac92
SHA16715dd4c4895accf6b05e444f03c6cac0dab8d8a
SHA256357820164215efa8289a0a2afae85b7b827a01c84d0155092e770cfed85e764e
SHA5122c2430d05ccde0433a18def1698e33edd7854e753df2389004c37b86950f96929e748acf57bebfb521c8a6d4ae4b7589f413d1adf0373f1e35b9419f27447068
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD573c90ae0ef84bfdac4e0f1a159ba1f27
SHA103826d4ff34ba38f2784919336666f009c129be5
SHA2565db58e00be2cdc018d6ffca83c9adfab6818038cca5fde209f525f6c3a46b9a9
SHA512ba01402914cfdb6f7ce430d0fb214993acf0fc562e58af003dc1854e8137e3b59c0bd5e3f55df831ff08aed9e5c1b4807f531663e6d84565caaf5ee0598591a4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5e8a4e2c4ccac5042455cd0208195f6a2
SHA1754a7810df9c57c5a617bf302bca88728316f8b7
SHA256f92220a0647feb03f409ff820343143432c132693ea3ee2dd6bdd4738e3c60c2
SHA5123f3ddbe864c290c0a9beca7f1e07ea9d54c7d9a6a4f87124f818e1406c478d44f762a84eaed385fe556ffc019ffc878ee3fa3e2a27d25466163755bca6b25119
-
Filesize
2.4MB
MD57ccebfe91b4c5b3c8feec467941c3557
SHA1a3ddf2da7133f6b2478eaaaccf98c3fe12e6db69
SHA25641fe619fbe5a96e2be0cc43ca6e2ab6712b2914b5dfa08cb2ee4f5a43248bbe0
SHA5125b09099bfea89b8d14ce2f610b0471d536d56a53bc580b3315a7c81a99511809495e75a93185728b906a4bccbbef9f3cbe0bc899bde44cfbbdaa455b80673635
-
Filesize
1.2MB
MD5c405ccb4db5e6b3603e8d263acf6efec
SHA1a7af8499340084c5fc9084fac7403fc7d1d14e98
SHA25679bf5e36c3bd475045d5e2c4472530299e3352d273ded288f79930bdceca179f
SHA512cbd990037ce94951b50567cdb605f2e886239aeac56a313be1b3cdd7654648a8ca59ca1c1a1d5adc7ef35a58801518afd68775dcc04314db7e8c27eb3ac8b396
-
Filesize
1.8MB
MD5b5e7797b2a49edf96b67c1040b301e45
SHA1bab8594d3af5eae8b2918c9d3a6c1811957c489c
SHA256711e736fad92ec9e756a88e4e59c2b2402e08d26cf18d31e30002d9e500df701
SHA51246c8d1555ba6ace3f911df9a3c00d9802e3a021c3d3465c006b6f6d36e3e605f8ab74f3cb31ca77f7455a63859e9664e198246e1c2cb4994b695cb1a0ff4f0ba
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin
Filesize8KB
MD5237996db2fbcf519d5e9a292ca89caf3
SHA1983f571ace9d32fbc3c2b06c67ab30bdb73bd526
SHA256ce1bc111157bb7dcdf3ee2269dda48d4d50bb971ef7090429e642fbf493a8b57
SHA51220c565e1bec6ba7f148bca446a8adff14b79fb87288b89b5f7e57f5110fbb9933c540f2d6f546e2bbb59f4211705f4bbb82dc68ad0e114406011d6fb79a3d370
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin
Filesize12KB
MD57b4d474ee4060103318f92fd0f3e7674
SHA191a238679e456f19537e42097522f3b844607995
SHA256d34141485f986da1e9ed2397f83cff5a20acb6e99a52375cf867b47e9a78f0b9
SHA512d9404cf0d2d803eeb6b0f0ecb4b70fa2e47ef375721625a6b56846dc76910f8fed3987969c1408371577df49d6e15cf495e653948381a896da2131ffc801944a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5f308bf73e8d31117102aaccec224f856
SHA197d1a1e08afacce668f5bae08d50e0be62c3989d
SHA2561724d96280a6d7a00b354b23be1cb77c7cace96d3553d693b0fe19b7d3287dc5
SHA51204a89ac745c46fe05b185f49077efdbb8a4906cdef38873ee023d3c619b325bf7924162cd7b4f4d118b47ed5e771835ac34a8b548789bb7f830457e15f702ae8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5c3b129a727ba4560d67520bfe58210d6
SHA14d59497443c4f396b60bab0e9b455c9703fc3d63
SHA2561ba41f7ea66af9d65984954ee25ae396d235468772a6beb4b821297150d6bfc4
SHA5124056ffd8066474d7822d116348f2961972f23579aa05afd4a4dd42cb00e24e59f183a5007f4fd565fcae6d41c76563d876377eefc88e799f6e2a859fefe8460d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD58521af6841d516bbf99949b05669ed87
SHA17c213e31b750388c235cdc2f686679fb6b66a012
SHA256c96c163795574ef93055eb51a8d88c45e905a781d1f37ac3ff5628e0481c28ee
SHA512eb7a9026967b3260967b00d4f85954b8d7a308cac25f61afe1e683979b14657199b141bf9335aec27f9d3297e87ba1c455933c46c2e417f2099ec86df7cc173f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\8858a3d9-6ca3-4ca4-b551-4e37d09aebd8
Filesize671B
MD5a22918f6c80f8f3a3bf2bf6e37a32cd1
SHA1b4e39ab940c394ee2401a75d20a9c28c40261085
SHA256988770177b04d7a6fef59abcb041c62422443c6a146db27f728fdcc8877f1c67
SHA5121a5499a1a6c55ac57abca93edbb3aa230307f609ad55d5bc9b7019f5dc69b55775956930ee8040b0f1ee5228754639a0285178c07363a213b6247586aaad0f70
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\ba82df7e-fbed-4998-be4c-eb8fec6db0f6
Filesize982B
MD5585154e80e9833213e4c0c7476399665
SHA12836b7f23c9c843a07854ae4e73cb7c38a691ad7
SHA2560511e4c9453f94137b2c03360ea833f086e01625145905aec2cfd5020d8cb13a
SHA512ff701626df8e351dac92245b126993da9d02cd459a32558071a372e351d500a01d7e46948bd2ea2e45914c38b99c696320f950448629dbc31ac69e3ee839ee92
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\cc386882-be6b-493c-b755-6e8689f82cce
Filesize24KB
MD54e037aae502c1f6ee77f891250e0260f
SHA1d9737166e770cbbd18cef8ee69d0c4ee181b4e91
SHA256c381e08c29b8d383e919a890b2d057b905d24104fbac9a3a555195aab5d32492
SHA512c250a6db2d8be3af930877b64ec6fdd5e1fa5c60e557a50f02f9ca575003782da3e28eae8f7996bf721ff0d179f34e6f359665d26923f160a053ded3988b450b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD58828cc16bf2e8158050d77f5ec401936
SHA13c872b3acaf5b8329ce458abfe8f5f36efb0c0bd
SHA256ebed32b6e7df285feae4dc7b02977e276d5416abc54b97a45850f847b9f90f2c
SHA5125ee06a3f2fce765145989fa2e33d5b61784b11b22b28ac1063e580fb335a637c60d112139d0ae06f711fe571b562718bd8851f7d414ab45b40e73b634eb1c5ee
-
Filesize
16KB
MD5c7dc16045b7619ea0aae9bd4056757bd
SHA1a79fe5820eaf94a3bb88106103060503feb77c87
SHA25611afa0d60e04c0cb805a6852990e4abff4505fa7e13eeeb20690b03b485bd1cc
SHA5120220654ee813a32107e7d0948ba83695a5d8974e1a6f6b223b77c710643917966b246124a855a519060242b68ddecd0bc7394bfca8484c6307506507618f0918
-
Filesize
11KB
MD592052c971b1fe634e0a3daef5db1200c
SHA1810a1219d6a3d20aa6d03e784b415ba743829749
SHA25623718391113af8224efcf80a2a4f67948bfb50c2fba48fb21d08fa28b0ff6187
SHA512f0e31c5bdf0690504269047ebdd13c8ab340dda8096d142f369a53a1e39cd58ab1253f26615509312617ee8eb746307f2584d35a84c3222aef4e289dd0e90c95
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.5MB
MD5858f5b34a27aa6414106b465a6430376
SHA1b40eaf0f719f43e3ef858a44fe42ee66a51f930b
SHA25637b35f97c4903f504d0834910bc224671ab3452693b0cf018eb8a47e212cb161
SHA5125197500fe6c5ef147f796618fccf4a203d6bf9bfdbae4c0554d01299b1b05ba756ad2aa85fe7043a840872e65908fa482702cf4d0f00db8ce108a35460b9419d