Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-07-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe
Resource
win10v2004-20240709-en
General
-
Target
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe
-
Size
1.8MB
-
MD5
7eac58c3aac017b11c5a2a99ae66c51a
-
SHA1
570339f867e074afb6f0238ca2152a50356647e1
-
SHA256
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2
-
SHA512
d99289c3746bb2d429d80c6d6757b44f125980a8b461c8d5716d4e49acb2fee1c0c4a94ff66b9a1c90b21d7d23e767201ecb6282288b0b2f068e912942729769
-
SSDEEP
49152:3ABzdidcgK6pe6iKKmRhPzFb4rrUxhCLFB6bjr:3OzucgKqiK3TzJ4XUoBkjr
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exeexplorti.exeIDHIDBAEGI.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IDHIDBAEGI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exe5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exeexplorti.exeIDHIDBAEGI.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IDHIDBAEGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IDHIDBAEGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe0294021ada.exe0a5a77df50.exeIDHIDBAEGI.exeexplorti.exeexplorti.exepid process 932 explorti.exe 1732 0294021ada.exe 1872 0a5a77df50.exe 2000 IDHIDBAEGI.exe 5860 explorti.exe 1580 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exeexplorti.exeIDHIDBAEGI.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine IDHIDBAEGI.exe Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
0294021ada.exepid process 1732 0294021ada.exe 1732 0294021ada.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exeexplorti.exe0294021ada.exeIDHIDBAEGI.exeexplorti.exeexplorti.exepid process 2004 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe 932 explorti.exe 1732 0294021ada.exe 1732 0294021ada.exe 2000 IDHIDBAEGI.exe 5860 explorti.exe 1580 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exedescription ioc process File created C:\Windows\Tasks\explorti.job 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exe0294021ada.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0294021ada.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0294021ada.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exeexplorti.exe0294021ada.exeIDHIDBAEGI.exeexplorti.exeexplorti.exepid process 2004 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe 2004 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe 932 explorti.exe 932 explorti.exe 1732 0294021ada.exe 1732 0294021ada.exe 1732 0294021ada.exe 1732 0294021ada.exe 2000 IDHIDBAEGI.exe 2000 IDHIDBAEGI.exe 5860 explorti.exe 5860 explorti.exe 1580 explorti.exe 1580 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2832 firefox.exe Token: SeDebugPrivilege 2832 firefox.exe Token: SeDebugPrivilege 2832 firefox.exe Token: SeDebugPrivilege 2832 firefox.exe Token: SeDebugPrivilege 2832 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe0a5a77df50.exefirefox.exepid process 2004 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 1872 0a5a77df50.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 2832 firefox.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
0a5a77df50.exepid process 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe 1872 0a5a77df50.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
0294021ada.exefirefox.execmd.exepid process 1732 0294021ada.exe 2832 firefox.exe 488 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exeexplorti.exe0a5a77df50.exefirefox.exefirefox.exedescription pid process target process PID 2004 wrote to memory of 932 2004 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe explorti.exe PID 2004 wrote to memory of 932 2004 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe explorti.exe PID 2004 wrote to memory of 932 2004 5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe explorti.exe PID 932 wrote to memory of 1732 932 explorti.exe 0294021ada.exe PID 932 wrote to memory of 1732 932 explorti.exe 0294021ada.exe PID 932 wrote to memory of 1732 932 explorti.exe 0294021ada.exe PID 932 wrote to memory of 1872 932 explorti.exe 0a5a77df50.exe PID 932 wrote to memory of 1872 932 explorti.exe 0a5a77df50.exe PID 932 wrote to memory of 1872 932 explorti.exe 0a5a77df50.exe PID 1872 wrote to memory of 3648 1872 0a5a77df50.exe firefox.exe PID 1872 wrote to memory of 3648 1872 0a5a77df50.exe firefox.exe PID 3648 wrote to memory of 2832 3648 firefox.exe firefox.exe PID 3648 wrote to memory of 2832 3648 firefox.exe firefox.exe PID 3648 wrote to memory of 2832 3648 firefox.exe firefox.exe PID 3648 wrote to memory of 2832 3648 firefox.exe firefox.exe PID 3648 wrote to memory of 2832 3648 firefox.exe firefox.exe PID 3648 wrote to memory of 2832 3648 firefox.exe firefox.exe PID 3648 wrote to memory of 2832 3648 firefox.exe firefox.exe PID 3648 wrote to memory of 2832 3648 firefox.exe firefox.exe PID 3648 wrote to memory of 2832 3648 firefox.exe firefox.exe PID 3648 wrote to memory of 2832 3648 firefox.exe firefox.exe PID 3648 wrote to memory of 2832 3648 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe PID 2832 wrote to memory of 2356 2832 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe"C:\Users\Admin\AppData\Local\Temp\5b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\1000006001\0294021ada.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\0294021ada.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDHIDBAEGI.exe"4⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\IDHIDBAEGI.exe"C:\Users\Admin\AppData\Local\Temp\IDHIDBAEGI.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFCBAAEBKE.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:488 -
C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\0a5a77df50.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e84cf09a-5db7-4cdf-9922-c7d6df39a15c} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" gpu6⤵PID:2356
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e791aeb-5a47-48c3-b268-952b70d301c3} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" socket6⤵PID:224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2920 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a747872-4918-4c13-bfb7-19fe8667d303} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" tab6⤵PID:1064
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3888 -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3652 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57916812-b55d-4177-874f-88c8897108f1} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" tab6⤵PID:4072
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4772 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce3e4bc-acb8-4f74-ab30-f11ddc3edd1d} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" utility6⤵
- Checks processor information in registry
PID:5180 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 3 -isForBrowser -prefsHandle 5592 -prefMapHandle 5588 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97ca0da9-0d41-417d-aaf0-8d02085b0fb2} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" tab6⤵PID:1476
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5804 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5728 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55234289-433e-4fe4-a869-ffe75bc07699} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" tab6⤵PID:1400
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6004 -childID 5 -isForBrowser -prefsHandle 5924 -prefMapHandle 5932 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1044 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c715d428-f621-4c46-a225-cb3e2395677a} 2832 "\\.\pipe\gecko-crash-server-pipe.2832" tab6⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5860
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5e2f10c15c8c932c06f2d8d4bdd995135
SHA1e1bf0f607ede730ee9421ad7b87c12352e1d0cd1
SHA2562fe0b7a85c08200abc3d7b0ee8b502d5c46868ddf517a5d0aee09554dc22850d
SHA512894e420c6ba12cf105ed93fa99402952ca567f98d9519049c0bc7faf483dde04ff5d2022a080ff9513b2e200a10474b086dbc5567cb54b2d17b5c057fa6b9fef
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD56f802db861406ea55f23fe2579e67977
SHA1b6f9d5e8731a29fed31b835677aa492b933a4705
SHA2565dc69bfa7780c4bc86a95c0b6596c3f2fca3e8f0e9df894989abf1b1cb9c35b2
SHA5129664977ee79d7c294213ae5d153df567adcfc862f9c44db75a4f37762b7a848d4a47b231d4f2639f76e1f4f56b76dd2c80dd8681c7726c2bea3c605f75da77d0
-
Filesize
2.4MB
MD57ccebfe91b4c5b3c8feec467941c3557
SHA1a3ddf2da7133f6b2478eaaaccf98c3fe12e6db69
SHA25641fe619fbe5a96e2be0cc43ca6e2ab6712b2914b5dfa08cb2ee4f5a43248bbe0
SHA5125b09099bfea89b8d14ce2f610b0471d536d56a53bc580b3315a7c81a99511809495e75a93185728b906a4bccbbef9f3cbe0bc899bde44cfbbdaa455b80673635
-
Filesize
1.2MB
MD589d94c18987eb5d638be8f74bc307ac5
SHA15f7d6e6d18cb0dc610dcfa684d424b38ae4f7ff9
SHA256384ce4a6f2794b0cb3c5fe36dc9b19b755315c9918ad19c925401099c41be9e6
SHA5128f3880137b1a7e511dbbc3164c0a28cd1933776a009120df4eba0476f07dbd2b7764dae406620da6b2ab324ac0aa8011f914db6aad213fbacc4d73f0d28c2a63
-
Filesize
1.8MB
MD57eac58c3aac017b11c5a2a99ae66c51a
SHA1570339f867e074afb6f0238ca2152a50356647e1
SHA2565b7c5538d46b65c20287b12f35f75d4f62e7d9e9188490b24892c96724d652b2
SHA512d99289c3746bb2d429d80c6d6757b44f125980a8b461c8d5716d4e49acb2fee1c0c4a94ff66b9a1c90b21d7d23e767201ecb6282288b0b2f068e912942729769
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\AlternateServices.bin
Filesize17KB
MD59317591c229ac7ae495e3e6c1ea65136
SHA123d0092e094bc18ff02ba5abb18b51936d618436
SHA25699d5f9b50c3941491a6ea5147b8bf1c2eb2c27cafe3e1d61c2cd60a6a7c50896
SHA512732c7a7ca8e7a87f663e71eecbe5aa2a28bca4fd5d36efabaa17cbf5726bc18a4e235a1a7dce6d19d7cedc9f81f6013007a10a371f323637457ee506b58b5a73
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\AlternateServices.bin
Filesize12KB
MD5261b088261897321a100b2b6f5c72a06
SHA194c2d733f6a0a143429d31286a6f777c9f88ba36
SHA25616640fe3b8a661499850d41b1700ebc9499a6dfdc0898a3cad19c621e4d85e9c
SHA512959593acbf304d10dede8896e450be5d6449c5c73ee1c2eb6f846c05ee8c73dbbcc41d3cf0d49961d712231f7814d7a032874accf5aad8ae15dc1d882bb8ff4e
-
Filesize
192KB
MD5ea5657b8d198d8bb97775cc21dbb15af
SHA17fdef97ca888348932cd5dfe10a749fecd07e6e4
SHA256da65921c827d6e1b46151630ca0539cb6887a55c8b2b101981743e08b7ad43af
SHA5126f2913877090d91e3456e7084522a16f0475ae1eecb84d2ab1b627422ab5d48fc943e45f737233ef4a980230c3a839c6de52feca91ab76e070db4c5fb04fd400
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp
Filesize36KB
MD59c36e76de6da768a42e49a883734b3af
SHA1354199bea6d818c6e6e02edb1e326933ded7338c
SHA2561cfba34ea5bc00531d40e3173bc42a5d61a92781f9c2f7d2365c8b1890021b90
SHA5120238eee7b175e55fc7122467021807e594655374ec9357f28a0b39e4d22e0e263fd2fbb824321034e8cda4180b3d83f169a059148f5fc4de0365af261ddcc724
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5f645b65917887fc713e7212bcbd6dbc6
SHA12b34a4d85193ad5b7840b9b86763dc6ed7d4b1c1
SHA256ca74f261cf8584116bd2fab20c7025dc569bde016b62e177c38580162c06c152
SHA5122daa5061c77b30d157ac166f0c3057678d279292e5e1f98f1a5dbd153f30d27e1711663425f8efc87c5cd10e62ed51dd9f382dbc5b6d711625bbe6aa74e32f52
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD509b4a5dd8e9d4df9b6d20b4690d216ea
SHA17f4836c4294b0a1424a298bfa3af0b376a9fa03a
SHA2560aa824390eb8ad09a477baf74dc751f46468c246f076b6f790d9d27ee613c6bc
SHA5128e4d69af0d24274b5f615f95dbabec5b1f74cb10405d8ca190ee7d3b795ee77b5d56600d3489f1da30202244b43a8bab20cd655f350f1fc6e1a0d402ecacaea9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD55a43283fc787fc2f1b66d81292334501
SHA1bee00aca842adf92f95271ca59d2800d1b05e5dc
SHA256d22a44e74844c58d6c99d868f05591588c90640c0842be5e5620514db966c5f6
SHA51205b607a355054a4557c533988e12e40c50e1e7889247eed14dd4b7646b39de7946c2c64223f4d9f820882ee46c767ae09ad51657d9e64b9e0e8a60c860ee5cf4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\55a11f65-4372-4db8-8c87-ad9c93d7c236
Filesize982B
MD564c09b21d936ded4357447a7c2e8e2e2
SHA11c772db28b446ace808a2f06e40cc4068f514530
SHA25610fa976d6f71f3afc3734bfc9a3ac2b8cc6091fb9698575a66735a6eb074948e
SHA512791689ca1bc1b73245d3d3843f89690f776b358e763892f39b03e6b3b600ee99a484920466e64fc680b3df41c4f30752519ab740541783a10b2741b94568094b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\da6b4c1b-f3b0-4220-8b55-2c5077517ea7
Filesize659B
MD569265e65f3fd8964110384f401fd4121
SHA1cb0fc724f21deac33fa9f300749993171797c802
SHA25602328ab1372bf46bbc37035b0d51bcf6f3409aaaa2bea04da4697914f1a3203b
SHA5121915e6077b0d3f4e4f8d0e5f1a947771c53d5db43ecdc513722429bf1c66b3d03ec2b0b5af3299a1b34e8f86de2036cc54710405c907467628a3d0f694941a2d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD5d03b4b08617287a458157e4ce3d88038
SHA1a2e3efd660c86369b82493c011a5194923387be8
SHA256688d2402d40aa8fae1ec0b6efc64b343ad08a691a774bfe91edaef7fb4e07efd
SHA512a79510c066034780dc5757368502ac70be12753655619318ae6b0b99484c7203cb3bfb7ee24d4b8dfa68d0e4606ff8af2a7300474ab201f058d9f4ba28be1895
-
Filesize
12KB
MD50e6cabecdadc78f6cf78a95d16a330db
SHA1503e00615d0252537ba4df037c79953082c9545e
SHA256bd889b0673359abc1afb46b8f3f3afb40243975d5b6e1b987fa7c147e35634d4
SHA512f33c1cfae2e3278c922883931a7c790ae8a69cbab79ceb8b3aa06662575ec7afd04d85ca5eebd275045353dc527897f3394afa7cc1de7b0994a70d83228cbb62
-
Filesize
12KB
MD5831ea42015001446fc6b9b31fe007d6d
SHA13d30f9594fecfb098c90eb9b77d592427acff2dd
SHA2562d778c8aa6773a7a0137bb8e543bbfd043e5cffa66bccb50c63507aee73a6d1d
SHA5129cdaca51d4547779da2f815b91b7df91faa7c32f92d96e9c74228d4c40e2460ef22c60b46c4abc708db52f4d885707273dee62f42f0d98096fb72ce721434352
-
Filesize
11KB
MD5078a4b855a71ea16e246b104693f044d
SHA1cab1663c6098da2586dcf44649c64c51fe514835
SHA256ad54f23c8b129e3ddc78075f62dffeeaf954174d4a58f9589bc9d2db27f21252
SHA5129de817e06f40546d19e076b10b681de24b8011bbc2de1768985d8c1a1706774ffcb518308d6fd0dd9266cbf6053ac3b63e339cfd553e25e6e78efba62d29478f
-
Filesize
8KB
MD5da5f6c25f28937614a76ee101a41ddd1
SHA1fcbedcfe6042bf7609f61ee6a79adec415978d4b
SHA25672701ff1f3a70c1d4408d1d91b0e9ac5323dcdf26c9335a382b01f2b0f07483d
SHA512b321e775c0f1ec58b145afa3cb43de1f492fbb851f37f06668d48815af6936dbc11a61a39059d2c8d5f832ace8fd5ca1438c68c1b7f81b2d1cd0212552601d13