Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe
Resource
win10v2004-20240709-en
General
-
Target
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe
-
Size
1.8MB
-
MD5
7eac58c3aac017b11c5a2a99ae66c51a
-
SHA1
570339f867e074afb6f0238ca2152a50356647e1
-
SHA256
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2
-
SHA512
d99289c3746bb2d429d80c6d6757b44f125980a8b461c8d5716d4e49acb2fee1c0c4a94ff66b9a1c90b21d7d23e767201ecb6282288b0b2f068e912942729769
-
SSDEEP
49152:3ABzdidcgK6pe6iKKmRhPzFb4rrUxhCLFB6bjr:3OzucgKqiK3TzJ4XUoBkjr
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
explorti.exeCFHCGHJDBF.exeexplorti.exeexplorti.exe5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CFHCGHJDBF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exeCFHCGHJDBF.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CFHCGHJDBF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CFHCGHJDBF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorti.exe22d293bf41.exec593a3717d.execmd.exe5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 22d293bf41.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation c593a3717d.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exec593a3717d.exe22d293bf41.exeCFHCGHJDBF.exeexplorti.exeexplorti.exepid process 2196 explorti.exe 5544 c593a3717d.exe 6080 22d293bf41.exe 5328 CFHCGHJDBF.exe 4168 explorti.exe 5824 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
CFHCGHJDBF.exeexplorti.exeexplorti.exe5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine CFHCGHJDBF.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
c593a3717d.exepid process 5544 c593a3717d.exe 5544 c593a3717d.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exeexplorti.exec593a3717d.exeCFHCGHJDBF.exeexplorti.exeexplorti.exepid process 1372 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe 2196 explorti.exe 5544 c593a3717d.exe 5544 c593a3717d.exe 5328 CFHCGHJDBF.exe 4168 explorti.exe 5824 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exedescription ioc process File created C:\Windows\Tasks\explorti.job 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
c593a3717d.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c593a3717d.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c593a3717d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exeexplorti.exec593a3717d.exeCFHCGHJDBF.exeexplorti.exeexplorti.exepid process 1372 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe 1372 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe 2196 explorti.exe 2196 explorti.exe 5544 c593a3717d.exe 5544 c593a3717d.exe 5544 c593a3717d.exe 5544 c593a3717d.exe 5328 CFHCGHJDBF.exe 5328 CFHCGHJDBF.exe 4168 explorti.exe 4168 explorti.exe 5824 explorti.exe 5824 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1888 firefox.exe Token: SeDebugPrivilege 1888 firefox.exe Token: SeDebugPrivilege 1888 firefox.exe Token: SeDebugPrivilege 1888 firefox.exe Token: SeDebugPrivilege 1888 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
22d293bf41.exefirefox.exepid process 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
22d293bf41.exefirefox.exepid process 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 1888 firefox.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe 6080 22d293bf41.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
c593a3717d.exefirefox.exepid process 5544 c593a3717d.exe 1888 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exeexplorti.exe22d293bf41.exefirefox.exefirefox.exedescription pid process target process PID 1372 wrote to memory of 2196 1372 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe explorti.exe PID 1372 wrote to memory of 2196 1372 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe explorti.exe PID 1372 wrote to memory of 2196 1372 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe explorti.exe PID 2196 wrote to memory of 5544 2196 explorti.exe c593a3717d.exe PID 2196 wrote to memory of 5544 2196 explorti.exe c593a3717d.exe PID 2196 wrote to memory of 5544 2196 explorti.exe c593a3717d.exe PID 2196 wrote to memory of 6080 2196 explorti.exe 22d293bf41.exe PID 2196 wrote to memory of 6080 2196 explorti.exe 22d293bf41.exe PID 2196 wrote to memory of 6080 2196 explorti.exe 22d293bf41.exe PID 6080 wrote to memory of 2880 6080 22d293bf41.exe firefox.exe PID 6080 wrote to memory of 2880 6080 22d293bf41.exe firefox.exe PID 2880 wrote to memory of 1888 2880 firefox.exe firefox.exe PID 2880 wrote to memory of 1888 2880 firefox.exe firefox.exe PID 2880 wrote to memory of 1888 2880 firefox.exe firefox.exe PID 2880 wrote to memory of 1888 2880 firefox.exe firefox.exe PID 2880 wrote to memory of 1888 2880 firefox.exe firefox.exe PID 2880 wrote to memory of 1888 2880 firefox.exe firefox.exe PID 2880 wrote to memory of 1888 2880 firefox.exe firefox.exe PID 2880 wrote to memory of 1888 2880 firefox.exe firefox.exe PID 2880 wrote to memory of 1888 2880 firefox.exe firefox.exe PID 2880 wrote to memory of 1888 2880 firefox.exe firefox.exe PID 2880 wrote to memory of 1888 2880 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe PID 1888 wrote to memory of 1164 1888 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe"C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\c593a3717d.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe"4⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe"C:\Users\Admin\AppData\Local\Temp\CFHCGHJDBF.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5328 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKEHDBAEGI.exe"4⤵
- Checks computer location settings
PID:5184 -
C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\22d293bf41.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6080 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d026475-adc6-478a-b703-71a1c49e2970} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" gpu6⤵PID:1164
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {206ca1ed-a44c-4a74-9833-20a0b8ed5d74} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" socket6⤵PID:5188
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2800 -childID 1 -isForBrowser -prefsHandle 2764 -prefMapHandle 3208 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41ebb93e-c8bb-442e-b045-91ac919a09d4} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" tab6⤵PID:4856
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3904 -prefsLen 31167 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9355398-9741-4e10-8023-3b714e95d631} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" tab6⤵PID:5104
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4808 -prefMapHandle 4788 -prefsLen 31167 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e69bd074-90b6-47be-bc21-fb538bd8878c} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" utility6⤵
- Checks processor information in registry
PID:4064 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5492 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b124394-8bab-4b1d-b463-6e99fc10fc7a} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" tab6⤵PID:1548
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4094fdb0-d1af-4e6f-8128-7ff9612757d6} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" tab6⤵PID:636
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5896 -childID 5 -isForBrowser -prefsHandle 5816 -prefMapHandle 5824 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94219399-41e2-454f-bc7c-d1789a2b8d09} 1888 "\\.\pipe\gecko-crash-server-pipe.1888" tab6⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4168
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD55c62863c7732ef38226bf0c6acb6ddea
SHA12d3328495bfd3a0180c85c3bde9ae53a98196cae
SHA256998d8f94dcf5a5b873b19c88ff1ee73703c328fcbc4e189b51a85b917cb54d76
SHA512a9acaaf0a1e3b9797c02546f13807c0bb7b6738f4338d01ae45316078df935973e33a99a8e515266edda00009976bff1b7c0bfc456a03a1850f41437c5f2c584
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD582a1d19edd293611329e5581b088b195
SHA13c630ea73ff5f234a1323ad175037bd280c14a0d
SHA256f9850b3b3609b91b5deacca2e886f1320df2b2bd0771aea7aacde7ecfa58687a
SHA512d3f06d7ada2139f7437971f674671c7623c2d984209fb83fd361cc0e51c40f9724d3148bafe1eb1070d27ce5bc9323e27c1a0bfec7b89b77f80d5cf6867ad462
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5f22d24cab745da6ad639e679f69025f3
SHA1a3c279b32e2b31004fa5a1bad8a8d8ba59b9ee2c
SHA2568307f80ba2395a3c67c21b0c5aeac9d530ee61a06cf20d8124d494c7de6905e0
SHA5120fac9cb8d81e2d1dbd2542b489cf98d62dd996b5d04fffd27461fc83f97b3c2d2060c918f9240e704c3126914dd9ebce24b25c080ec9b776be30372cd294b0cd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D
Filesize13KB
MD5ea210637fd33afc4241d4c25045f2738
SHA1af6b1c175406b3485987db4a3e7d16f8ed0b9e40
SHA2568012ba0f6f2ebef165f5c9f73573afc55803ce69f5736182112b4af88e7ff121
SHA51212694452447c66932d099dbb230fa0622061ee962163f236e133a1f62d611b64a09e05728a198463481171c848499814198e0cef884fa9cf8b65fc71871b963d
-
Filesize
2.4MB
MD57ccebfe91b4c5b3c8feec467941c3557
SHA1a3ddf2da7133f6b2478eaaaccf98c3fe12e6db69
SHA25641fe619fbe5a96e2be0cc43ca6e2ab6712b2914b5dfa08cb2ee4f5a43248bbe0
SHA5125b09099bfea89b8d14ce2f610b0471d536d56a53bc580b3315a7c81a99511809495e75a93185728b906a4bccbbef9f3cbe0bc899bde44cfbbdaa455b80673635
-
Filesize
1.2MB
MD589d94c18987eb5d638be8f74bc307ac5
SHA15f7d6e6d18cb0dc610dcfa684d424b38ae4f7ff9
SHA256384ce4a6f2794b0cb3c5fe36dc9b19b755315c9918ad19c925401099c41be9e6
SHA5128f3880137b1a7e511dbbc3164c0a28cd1933776a009120df4eba0476f07dbd2b7764dae406620da6b2ab324ac0aa8011f914db6aad213fbacc4d73f0d28c2a63
-
Filesize
1.8MB
MD57eac58c3aac017b11c5a2a99ae66c51a
SHA1570339f867e074afb6f0238ca2152a50356647e1
SHA2565b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2
SHA512d99289c3746bb2d429d80c6d6757b44f125980a8b461c8d5716d4e49acb2fee1c0c4a94ff66b9a1c90b21d7d23e767201ecb6282288b0b2f068e912942729769
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin
Filesize17KB
MD52ebe017180e754f6b2c8bb515eca5f1d
SHA1f1e626a415a59242a9aec13a7ebc12c52e9c6616
SHA256632e41378062aae041ca05542f0728142e844ac67cb313e2f78caf5439b0de36
SHA512a2bbb77f40cf86f6e26a3bd113b810385a5f5b2f4e934dfe3a8ae7ddee3cd3a75cd3f9708e8398c9160ae18d1daeb65728aa342f4007fd01e18e7f3dc9d96681
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin
Filesize11KB
MD589f841796296790059f120bc55d2f6b5
SHA1612f3a3b7cb293c4db5d8ce382311ce794db19de
SHA256aa155d96cedb734820d5648c853be81d59569dbe43cf05190d53635fd20c184e
SHA512c46b102bf29a727fb712902d30c91e4f8987c0c145934d539ac01e1cdd674d42f0ddf3af80fbf3ad45086598eb91c924b53684df7632250d6890667a0080d960
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5d823896a5c0cd3bd7ee6ec5ae138ca7b
SHA1623a407a381512281af73abc311c03a40dc0f4ba
SHA256e795079770723d331b1387650d8f2b5c9d86a834a589891e7435c5fc4ece7cbd
SHA51291775e7c54400ba535f95cfb0b34c2f5840c3f5e984b8bdeec731ec2af599fc04d1fa9c71f6b0652a0bff0f0f4a07bfea7a9b992988c86c3505f64c5fd9f4dd9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5241947430580f8bb36d999567df53ea8
SHA1abb997d4087b2fd57b8b977f186547d2c347ff66
SHA256841a65d81de50cb7cd988f14523b51a181189b6b1ca8b66a055e0080fab9a441
SHA5129e78c0ae2e5293758b73f33f7a60012c6f934790c3b8d2dc654e5497e14404e12f30cf7914c82b9871b8f48e19b778d89c3bca7b4a590c7dae3d91cd7b74b020
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize27KB
MD545350de60c7934485bd9380688c15f47
SHA17136391ef21ae40d8dc120fda1aa1a527a05fded
SHA256d57a5a0a678ff8cb1a769ef01e9d49fa61c8b15ff654d2d59a3f8a6936e9a1e0
SHA512e558144b232dde9d9a9815482fb50a822233d00acb6b5787459cb786761dde591da20f3794295894b2cdd968c94171fc7082e02a288fcec921adcd07c25418d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\91182571-e101-4d5a-bfb8-368d84354657
Filesize659B
MD531f167ba35971065a56ae080af22bdf0
SHA1b7885bc6f2f42fd8eefb18de5b2cd21942bc0104
SHA256a02c2c424f40fb35d03864f9fd952ffecb9f8395823aab56264a597b8a14e276
SHA51272434da407e63398db592ca9ea114a03bebdfa806235b10c7080f6d0ad86028d0550e4a7f6b059130bbf29f7bd57a99044731d8d0d89e88ae81a0aac6eca3a69
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\98457052-238e-42a9-af5c-09af3d253f90
Filesize982B
MD52aaa362ff9678c3a0ff31c90e6a05ed5
SHA1d386e7fc980796f702bf1a50b3e86b73dd6c3ed4
SHA2568965044dd97048faf8dd36612e5ba344d770873997380998f2a86ea98f8fd620
SHA5122492d95b376745caf41faf868494f702d61b2374c7d213fecc68699c6048791e8124648da0fcf81922907b0125cfabd85fa533252db04a2aaa5ae4a37e3f16ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD5baedcb749d698eac265180ad98538c0d
SHA12304a08c551368101caab2b00ecc5f1496fecb03
SHA256db18a073b9fb04c03a4d81b0834d9edcea92eb52db49ebf690be491a4c808e38
SHA512f182976cee662d64df6afdafcff3f50a66c1c72b36ab0765fbc8aa776b27cc6e33a90d5c0b6849031b6e91c0b1b89b472f9c575f90c8d39d8f252306c0176d5b
-
Filesize
11KB
MD57169eb9684dd78cc1c0f0c1f2b9ff3ba
SHA16d45213cd24e78a9df077b0e40373960ef75d49b
SHA256bd88e7d2ab2c9ff819b8f12dbb359efdd9879fdd481ca2ef0c519fd2a0c61fad
SHA51203756363e608f506142c3505f44b227354133199b4ef333d685ad3211b4511b6a4937a92ddd02be3ecfe3509174260b42bf65297ec4fb6d69c9b67a6c1dd63db
-
Filesize
13KB
MD5417a59c128c20e5d89cb90b11190fbca
SHA19c73b3ffaed36c509004ec6eb116825edb360a06
SHA256cefcce5a94c72afd748689006057e7a459c4581ff855cefb07aef7b4efcb7e6b
SHA5128b3facb32ee1637825faf0ade346e1c80f7f270ead32ee9dc69a40048395c7debf614a043acb697fec1545d4dd8505e54079fb20a2d7616e6ff0e281d3047c07
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD519471bd5bc4049a79f70549ec8d19071
SHA14a0eba9590356d45eda2a617011fbf33aea5ae9e
SHA256bea55c5f941e5c4a97c78c3f013327cc25dc0f888e2e84241374141181539e7a
SHA512037adaf639cb9a72cd8d82392eb19e3d7393472aecb26cf4792512b388cab5b02eb7d6fc007079f85c79f5bc961c54af6bcccbbbdc5553ddf62f90c51e262d10
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.1MB
MD55f8bec4f493f151d2823f629e745e12a
SHA1bc52607679b0bf23575762f232df13a4bd46446b
SHA256ec8452746902e1d4110f82cf76c2088535bbe12fffc55a14f3553fac928c0d9b
SHA5121a1638be6bbfa7d91732b16869b99aa4aaf542218d1d194107c557e677032172a17ba9ffa7962eba130bb3d95e6ca3777201101bdded897fd7839ed9a958935f