Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-07-2024 02:18
Static task
static1
Behavioral task
behavioral1
Sample
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe
Resource
win10v2004-20240709-en
General
-
Target
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe
-
Size
1.8MB
-
MD5
ad7686b6a3804dda1cb2b039efdcd54f
-
SHA1
d810885254abaf8d3ac93269209141833c45ce58
-
SHA256
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181
-
SHA512
d795e4c224d9e9066822a009602dd38542f86021b994accf3cdc715e869d58bd9321b8c07d776848a2d5bea8607c347d15030861dc63fcb2392e87e3feb901f4
-
SSDEEP
49152:ESJakxgxf2S6nC4RK7lXR3JkyWm7YNcT8vlP:ESJxxgxf2SdMUOy/YNemP
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
explorti.exe5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exeexplorti.exeFBGIDHCAAK.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FBGIDHCAAK.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeFBGIDHCAAK.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FBGIDHCAAK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FBGIDHCAAK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exe16b475fe86.exee07a165db9.exeexplorti.exeFBGIDHCAAK.exeexplorti.exeexplorti.exepid process 708 explorti.exe 220 16b475fe86.exe 5068 e07a165db9.exe 4680 explorti.exe 4352 FBGIDHCAAK.exe 3632 explorti.exe 2488 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exeexplorti.exeFBGIDHCAAK.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine FBGIDHCAAK.exe Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
16b475fe86.exepid process 220 16b475fe86.exe 220 16b475fe86.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exe16b475fe86.exeexplorti.exeFBGIDHCAAK.exeexplorti.exeexplorti.exepid process 3916 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe 708 explorti.exe 220 16b475fe86.exe 220 16b475fe86.exe 4680 explorti.exe 220 16b475fe86.exe 4352 FBGIDHCAAK.exe 3632 explorti.exe 2488 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exedescription ioc process File created C:\Windows\Tasks\explorti.job 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
16b475fe86.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 16b475fe86.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 16b475fe86.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exe16b475fe86.exeexplorti.exeFBGIDHCAAK.exeexplorti.exeexplorti.exepid process 3916 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe 3916 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe 708 explorti.exe 708 explorti.exe 220 16b475fe86.exe 220 16b475fe86.exe 4680 explorti.exe 4680 explorti.exe 220 16b475fe86.exe 220 16b475fe86.exe 4352 FBGIDHCAAK.exe 4352 FBGIDHCAAK.exe 3632 explorti.exe 3632 explorti.exe 2488 explorti.exe 2488 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3596 firefox.exe Token: SeDebugPrivilege 3596 firefox.exe Token: SeDebugPrivilege 3596 firefox.exe Token: SeDebugPrivilege 3596 firefox.exe Token: SeDebugPrivilege 3596 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
e07a165db9.exefirefox.exepid process 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 5068 e07a165db9.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 3596 firefox.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
e07a165db9.exepid process 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe 5068 e07a165db9.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
16b475fe86.exefirefox.execmd.exepid process 220 16b475fe86.exe 3596 firefox.exe 1396 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exeexplorti.exee07a165db9.exefirefox.exefirefox.exedescription pid process target process PID 3916 wrote to memory of 708 3916 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe explorti.exe PID 3916 wrote to memory of 708 3916 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe explorti.exe PID 3916 wrote to memory of 708 3916 5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe explorti.exe PID 708 wrote to memory of 220 708 explorti.exe 16b475fe86.exe PID 708 wrote to memory of 220 708 explorti.exe 16b475fe86.exe PID 708 wrote to memory of 220 708 explorti.exe 16b475fe86.exe PID 708 wrote to memory of 5068 708 explorti.exe e07a165db9.exe PID 708 wrote to memory of 5068 708 explorti.exe e07a165db9.exe PID 708 wrote to memory of 5068 708 explorti.exe e07a165db9.exe PID 5068 wrote to memory of 804 5068 e07a165db9.exe firefox.exe PID 5068 wrote to memory of 804 5068 e07a165db9.exe firefox.exe PID 804 wrote to memory of 3596 804 firefox.exe firefox.exe PID 804 wrote to memory of 3596 804 firefox.exe firefox.exe PID 804 wrote to memory of 3596 804 firefox.exe firefox.exe PID 804 wrote to memory of 3596 804 firefox.exe firefox.exe PID 804 wrote to memory of 3596 804 firefox.exe firefox.exe PID 804 wrote to memory of 3596 804 firefox.exe firefox.exe PID 804 wrote to memory of 3596 804 firefox.exe firefox.exe PID 804 wrote to memory of 3596 804 firefox.exe firefox.exe PID 804 wrote to memory of 3596 804 firefox.exe firefox.exe PID 804 wrote to memory of 3596 804 firefox.exe firefox.exe PID 804 wrote to memory of 3596 804 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe PID 3596 wrote to memory of 788 3596 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe"C:\Users\Admin\AppData\Local\Temp\5842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\16b475fe86.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBGIDHCAAK.exe"4⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\FBGIDHCAAK.exe"C:\Users\Admin\AppData\Local\Temp\FBGIDHCAAK.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGDGDHJJDG.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\e07a165db9.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1876 -prefsLen 25749 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c4bd56c-0b44-4a5b-98d1-76dca708d586} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" gpu6⤵PID:788
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 26669 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b69606f-09e0-4f1e-adfc-543f84e61b4c} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" socket6⤵PID:2780
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3112 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37b29c4e-ff66-4819-9b07-19703aede96d} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab6⤵PID:1112
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3524 -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3564 -prefsLen 31159 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7af3360-47da-4a98-baa8-7405e1fc9e91} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab6⤵PID:4300
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4300 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4700 -prefsLen 31159 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9bacff3-4b0c-45b6-aca0-14bd33584160} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" utility6⤵
- Checks processor information in registry
PID:4840 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 4692 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c03dd480-4d96-4a23-89ec-e0338273f6c1} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab6⤵PID:1400
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 4 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43c80f97-fb02-4fc7-96eb-efb4d8598d3e} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab6⤵PID:2336
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5820 -prefMapHandle 5824 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a44e13a-af27-4d7f-ab14-3dc4c7eef11f} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab6⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4680
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3632
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD58936a12e53b0fc61478bd2f088cae1a6
SHA1728cbc476c10160b69c21208a128f610f3d7438d
SHA25669fdbb6162b12383065140db07d54ef0f74f755f8ac4520dfbe313463fdc1cba
SHA512436ff369c7b89c3f990de8c375bc8ea316319fe24b347ced391820f69f3fb659d72787773c6e25cf2d17ea5dd63ecf91613531779ae912c3515495cd722d73d8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5d1915c15310565fb19294e8f97970e8c
SHA13258251885cce28696bed394ef01ca0b7ce600f9
SHA256dd2fac28ff13981d9d0a72a28e08a784307b0fd1e3d3677037d503e8241b48e8
SHA512fbdc1eb16ae004be7b9dd3dfe5f7b012b8bca3b8afccae67f75b361c8bb90ff2d282e23c29c8a69f5570cd932d4e3791b7ef85051f3257c5f6693e046dcc5f85
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0xshw2k.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D
Filesize13KB
MD539fdae9b4fb18fee3b6346bc969fc8ff
SHA15d745feb9a0d4d6e291094a3ae8a89cbff726453
SHA25613524e128e2e2923b538e04310d4b4d7401793e49ab9306711fdc917f1af9392
SHA5124937f4507df7945e306e3f77fa1813ea9926b46ddb491acd1ce7e41e9680dfd9eb1d4662e7612af22959dfd0d75682c080cfd2a5ed55a5ee6385056ac3be4cc9
-
Filesize
2.4MB
MD5b5f67083e086299287f0dfb2a7bef96e
SHA1dccf58d99cd7153859d1ad5a1c3f7e348e2ebbb7
SHA2561b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80
SHA51255c4f5d435a1a27e6c8e14c88e454da4dc2398076f4596a6f983184831db0119c58be9c82b8ddf5ef37265b65b5cea56e5963c871b2be0f8e88064224681d654
-
Filesize
1.2MB
MD537f0d7fac582e7e1592b3306f79143f0
SHA1fe09db964b98769ebf71d780de5655958a4b9dbb
SHA256dd8ed064fdd43873a7ece063734ef85a27549c4f2a90e05aeccf859c8c53ffbd
SHA5123a020bea5a33387ad5e15bf22bc9a81406885ed0c1d40eb9d257d110b34fffa86598af61ceaaf5756a685e7bf9aecc976d951823c46eb48106781ca6e6fc1126
-
Filesize
1.8MB
MD5ad7686b6a3804dda1cb2b039efdcd54f
SHA1d810885254abaf8d3ac93269209141833c45ce58
SHA2565842a1d293da1841855ce668ddca09bc567bbe6da191bf7af3fdc6a69f137181
SHA512d795e4c224d9e9066822a009602dd38542f86021b994accf3cdc715e869d58bd9321b8c07d776848a2d5bea8607c347d15030861dc63fcb2392e87e3feb901f4
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\AlternateServices.bin
Filesize12KB
MD59dba40ce51919633121e021cc24f587c
SHA156f69df54ffbf4ca9ac1460e953907f72d9f8a78
SHA256727b594fbc152b344d48ac79a7453dab50c7860f8fc2e77c7913c8111d9f9e9a
SHA512536ab4aa6e2da13e28b5d5ac982a67cb9574a9f1bb5d5bd38480311b9f3dff50d01926616e5d78d33cd187da2bfb63974b08b7dbae4e7bc0830f0fd91b4e79b1
-
Filesize
256KB
MD59b71c7cfa7eb3bb533684a269e273cd0
SHA1cedff485c33bc46b34596d91ab3370cee0ebc825
SHA25636082a035840ac2a99e91a908fa4e4804534f7dc2d27352752434c2ae0ef4402
SHA5127119708b33ce2084ff843041223779a634d78d07bbb06cfa1379f38b92a2000400cc9401b21dab7c65d8838aeb33e4a013e07fc7fce48aa2123e7fed81467e58
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5c6f098747dadb0d193c245af99c40c49
SHA1e93f96522d8b8ea352fd8aa5c7546383aaa512f1
SHA256d2f5abb02abef295a61883bb817617cda0cbb008d06cc431825636cf2173484e
SHA5125cb5ac5eb0fa36434e31966f6df3999463b90b77d00fecac547fb945c4d980b92439fa4cc8d661301ec0a7c784a0e6812c4089ff4f62ce879267a8b379d53f99
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5b8d96f8e6d3bcecff6662b2defbcd35c
SHA19d8a98235cec4c0f93e9fb3b9f6227003af151c9
SHA25605325e4ce3f33aaef418bcdfc53a8a10ccd168664cac23f93fddf012d2bbc9d0
SHA5126599b82ce6dd8e6b03ef32c8c26b540c9e0303d3dc1908d34b842b295784e9f79938aca1a5a19c1438bc178c7e4233b84c7fd0f78c3403d53c24ab0a691fc8d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp
Filesize26KB
MD5d45997703294a78f2fadfa07b3831168
SHA1f119247301294eb19ea9f085d8ca79f7c56bc87c
SHA256479ef1fc0a4ff87df4939b1da73040547726cf871df3ee6cd44969b179094f3f
SHA5125dfcbba91bc35f543a676ce284cbaae905da0524010ad5ba13220b5d251f36061bf4fea4cdfef1a10f4f90916f73bd54103220e4e68e13f6f44a14dae2447570
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp
Filesize26KB
MD5437b60523a3a5fd0e96310735cf194c1
SHA1a65f26f8e78a814d825d3e35b8afdaf0b7d18893
SHA256c1141afd41bd69f759474f043cfce89432c24c5e8e9734cdada2fb8cdfc27095
SHA512cf8b2d022de8b84931a3fc77abe6a73cb4fb5835fee652cad1bf972addaecc54853b918bf551476891c3fa234f73d776dc8da68522a4c94f1124c5fc0ca3614f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD595cce94e89063e0f07bdb4742e969a08
SHA17d65a5ae009fa0ac96265ccce06e9a2375f582c8
SHA2563ab6b8e58b91d55509991a499fe0a31b2c20e383d2ecf97ba498ad37021e09f3
SHA512a5a62346183a60544519da12789968dffe48a95859edf6d819f5ae0ddce49749a6efd488981aa446f544b346778324e1d361be90d2b9b640a00bc52b229f9463
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\9bd14a83-50a3-4a56-8541-c57be1b7cfe8
Filesize659B
MD5a827063adbf6516ceefb7e1d5bec9062
SHA1dac06e886c3238166d4f25f15dad816a995b45b0
SHA256ecc6eb531ecd012f834722d916f8c039df53ce30cc6a3de3860a301ad609a4c7
SHA51207e54d051b999d722b1cbd1a90b550a416b5f152499d532876e966af362e34451407aa052cad96efe597a410099bdc45613337f97622f2086c81fbb353499404
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\datareporting\glean\pending_pings\bffe289d-e7cc-49ea-9d19-91a844b3ef29
Filesize982B
MD54e4b74f7afa30ae97acc726c827c20d7
SHA12dc140c50c9c18e8eb9322c1d100544afccb9af3
SHA2569792934e25fdd5e21b819bbafbb37c273ac552f4f0d8508e68c6e0a773a03409
SHA5126c14c2d2ce8cc13d8a33e5b34dbc21dced8a3fbeb82ec7ebed4772d2d5dc87714604ccdec0169eed4fd2238d11dfa7df3e363d18366728709612ca3e7e3568a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD5618111df2df5db0a1669f19776980b95
SHA1a362a7e476c240259a3ed4d2e37974e9013e1038
SHA256650c5a48a3eae9be8b359d4023af2387734ab4d6b5722fcde0c03c48002988c1
SHA51205ef55a607dc564bc8d692fb4483d87968592f047592ecc2e8dd6ccf0e4ba2d796fb88c0b01eee39006b5be40470ad442161dfb0eb24c65e0ec5604169445939
-
Filesize
12KB
MD5d65d24d04edc68a4eeaf76075b8193de
SHA1484a472bdf29894fc6bc594ef39b0b240196e415
SHA256fa3bd44328834a3990c983a441894d129ad32cb8a8b1facd1b5e982701187398
SHA5125dcc7df43515d99533a2f332e0abcd3b4d43387287a5936f18500b3cee04b3bd5274b8b15f7585a8978077cbb4f9b44f770b7ae102107fe01360e59d7e392c4f
-
Filesize
16KB
MD55962e795d09ea2178c8355749fc1eaf5
SHA1a6339f3243f265ebc67bc1be33d8923107ee2359
SHA25657cc47416f0735c8c6a4595e52db286aedf05d1c7703c1cd977507824b7ec132
SHA512c4a3e4b4764224eb13a2d2929ad2f1a0d480df755bbc529f4f28d23a802217e20613b737e609409a7605f2a63085e9c4872912a83f15a22fb375134496687c61
-
Filesize
8KB
MD5decca1b9eddcbaac476701df5a0f0ef2
SHA108170f9a9c595d8fd3c6a8d497246392efe7dc2b
SHA256a66746de02a96e14b912e1ff3a5447b04223becd7ba5a1fdfc8887c90a7298b1
SHA5122dda955907071489d3c5ef1369fb3dbe4125d5bd94531e1c9243cb4c2b495258d04d60fd28a40144f8ad777ed94ee4e100e5ec1c33b8ee9b7411071fc7dc1bf5
-
Filesize
11KB
MD5b426f5419304adfd43c8c2669b45bbc6
SHA187990a02fc874ed7d37e0ac2a9a9e0c3fba1b169
SHA2568bea75212b40ebecef369ec87215592df9019eb04f067fd2f8a8d28417ff4a3a
SHA512e2d576113dfa84ff11ef87bdeb233d113d6a18e5943e0aac8b81715ad736cb4cf422970694296f820d600fd7341e55d4830f82736dcbc0a81c15c5c8885162ec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD579d6dbc2b57c0effff31bbe4a754f404
SHA18185a055f621d041f6ecc0e16e2f9edde69da732
SHA256da860f82a576f2629e30fda201409a78950d6ab81a53b81c6b6b02628e34b10e
SHA512976c6da644347530a492b2bac3558a6ef806cadb87f28dcb3e3be7329cfc3b6947c457ebb75054094648789ff42319af6e63965070594c66dbb59aff140d66bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0xshw2k.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.8MB
MD5d3fb6332271639096eb3c93d28e17582
SHA1fb64ad5f97e7a7cfccbe1a33f19a028e19b4bf5c
SHA2565591b421bfe5bec6d04f7dc6164cfbf4c18510406eb6aa3fe07d9e0bc9f144fe
SHA5128db119886b9d5988e959eddd1ca2d8d42b1ad9a0ace55db312415246c3c39f44f0ff29918167e88bae03beebbca42251c453eaf2581f5a07dc4ad1ac47e1b52e