Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 06:09
Static task
static1
Behavioral task
behavioral1
Sample
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe
Resource
win10v2004-20240709-en
General
-
Target
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe
-
Size
2.4MB
-
MD5
08c7502b3315ce651b6b57849c1d7308
-
SHA1
25d8366a04fca7105e7c38eac267ab787456f8c3
-
SHA256
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
-
SHA512
d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d
-
SSDEEP
49152:JZtQ7s/0xcupfZA9HtWtVvFqFn3rmtJMNo:J0rfZQstaFbSQ
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeEGDBAFHJJD.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EGDBAFHJJD.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exeEGDBAFHJJD.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EGDBAFHJJD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EGDBAFHJJD.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.execmd.exeEGDBAFHJJD.exeexplorti.exe73672817a3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation EGDBAFHJJD.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 73672817a3.exe -
Executes dropped EXE 6 IoCs
Processes:
EGDBAFHJJD.exeexplorti.exeb900859885.exe73672817a3.exeexplorti.exeexplorti.exepid process 2264 EGDBAFHJJD.exe 4396 explorti.exe 1728 b900859885.exe 2992 73672817a3.exe 4464 explorti.exe 5048 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeEGDBAFHJJD.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine EGDBAFHJJD.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exepid process 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exeEGDBAFHJJD.exeexplorti.exeb900859885.exeexplorti.exeexplorti.exepid process 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 2264 EGDBAFHJJD.exe 4396 explorti.exe 1728 b900859885.exe 4464 explorti.exe 5048 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
EGDBAFHJJD.exedescription ioc process File created C:\Windows\Tasks\explorti.job EGDBAFHJJD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exed25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exeEGDBAFHJJD.exeexplorti.exeexplorti.exeexplorti.exepid process 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 2264 EGDBAFHJJD.exe 2264 EGDBAFHJJD.exe 4396 explorti.exe 4396 explorti.exe 4464 explorti.exe 4464 explorti.exe 5048 explorti.exe 5048 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1852 firefox.exe Token: SeDebugPrivilege 1852 firefox.exe Token: SeDebugPrivilege 1852 firefox.exe Token: SeDebugPrivilege 1852 firefox.exe Token: SeDebugPrivilege 1852 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
73672817a3.exefirefox.exepid process 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
73672817a3.exefirefox.exepid process 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 1852 firefox.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe 2992 73672817a3.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.execmd.exeb900859885.exefirefox.exepid process 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 552 cmd.exe 1728 b900859885.exe 1852 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.execmd.exeEGDBAFHJJD.exeexplorti.exe73672817a3.exefirefox.exefirefox.exedescription pid process target process PID 1516 wrote to memory of 976 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 1516 wrote to memory of 976 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 1516 wrote to memory of 976 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 1516 wrote to memory of 552 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 1516 wrote to memory of 552 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 1516 wrote to memory of 552 1516 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 976 wrote to memory of 2264 976 cmd.exe EGDBAFHJJD.exe PID 976 wrote to memory of 2264 976 cmd.exe EGDBAFHJJD.exe PID 976 wrote to memory of 2264 976 cmd.exe EGDBAFHJJD.exe PID 2264 wrote to memory of 4396 2264 EGDBAFHJJD.exe explorti.exe PID 2264 wrote to memory of 4396 2264 EGDBAFHJJD.exe explorti.exe PID 2264 wrote to memory of 4396 2264 EGDBAFHJJD.exe explorti.exe PID 4396 wrote to memory of 1728 4396 explorti.exe b900859885.exe PID 4396 wrote to memory of 1728 4396 explorti.exe b900859885.exe PID 4396 wrote to memory of 1728 4396 explorti.exe b900859885.exe PID 4396 wrote to memory of 2992 4396 explorti.exe 73672817a3.exe PID 4396 wrote to memory of 2992 4396 explorti.exe 73672817a3.exe PID 4396 wrote to memory of 2992 4396 explorti.exe 73672817a3.exe PID 2992 wrote to memory of 2740 2992 73672817a3.exe firefox.exe PID 2992 wrote to memory of 2740 2992 73672817a3.exe firefox.exe PID 2740 wrote to memory of 1852 2740 firefox.exe firefox.exe PID 2740 wrote to memory of 1852 2740 firefox.exe firefox.exe PID 2740 wrote to memory of 1852 2740 firefox.exe firefox.exe PID 2740 wrote to memory of 1852 2740 firefox.exe firefox.exe PID 2740 wrote to memory of 1852 2740 firefox.exe firefox.exe PID 2740 wrote to memory of 1852 2740 firefox.exe firefox.exe PID 2740 wrote to memory of 1852 2740 firefox.exe firefox.exe PID 2740 wrote to memory of 1852 2740 firefox.exe firefox.exe PID 2740 wrote to memory of 1852 2740 firefox.exe firefox.exe PID 2740 wrote to memory of 1852 2740 firefox.exe firefox.exe PID 2740 wrote to memory of 1852 2740 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe PID 1852 wrote to memory of 1624 1852 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe"C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe"C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\1000006001\b900859885.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\b900859885.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a60cd2e5-63f4-43fb-8174-e93242540a1a} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" gpu8⤵PID:1624
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b04f0160-2f35-47ba-ad0e-c657ce211931} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" socket8⤵PID:2140
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2900 -childID 1 -isForBrowser -prefsHandle 2796 -prefMapHandle 3176 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc167505-6587-4656-b990-1080a2971162} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab8⤵PID:4764
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3972 -childID 2 -isForBrowser -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de49b3a3-e65e-4601-8ce6-91af482fb4e6} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab8⤵PID:3592
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4672 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4644 -prefMapHandle 4684 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ed6ba39-868e-4b41-93c3-07b7af8825bf} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" utility8⤵
- Checks processor information in registry
PID:5072 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5244 -childID 3 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d69594ba-4714-400b-8c2a-604009b6aca1} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab8⤵PID:5624
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54e1a3a5-6ced-4202-bc76-b218c1fc4403} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab8⤵PID:5636
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5792 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2db10508-9afe-4fa1-9d9a-9c22818d5e73} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab8⤵PID:5668
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIEHIDHJDB.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:552
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4464
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD58b94e4274372c68b6cc95bef2fe606f1
SHA1def18ca9b6a23c331fc26299673dbdc112faba3f
SHA256d929e7660500da559acb41b799741eff9a666899206f3460b7587ee7f0fbbe6d
SHA51289aae345dc35b9b4996c10683b0cbc8c6ee999629be10810d719911f87f825f0d4b44f96e0ea1beb03d93c6c4d840c71d164694129a09d0118fd7dfe699ebd5b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD540dd09d1a6b8ef064441794d340f211f
SHA16e43368c1467117e2d1aae3c5f385957b66dff69
SHA256cf39e052a5e5bc14ab9faff1337c89996cb6aab7dcb840aadaeba3ea6366d78d
SHA512d24318681c7ec0144fa306b8dd8cefb70e26dc9d18f6a756deb194004105d15b3f8bfe7eaa38a3b929b03c3e5a11746a1bf9bfeaa07fc283c14916d2377ac01e
-
Filesize
2.4MB
MD508c7502b3315ce651b6b57849c1d7308
SHA125d8366a04fca7105e7c38eac267ab787456f8c3
SHA256d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA512d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d
-
Filesize
1.2MB
MD5c9d56cd0a203897f2a7e757c6f56367d
SHA1f3ce65c3ddbc08ed507de1486992ed5d4dd67b6e
SHA2567f797431b98fc646e12d1c85be00527bd78a991830dc5160188ab77854959f4d
SHA512ad06efb0e7c6fd32c4e19929dd63bf4e53562f03ab9a96b8f45a115361cacb984aa2bb0600dffd1d9f68d2a60fb781449097fe1cfe78c10b3d9a2c2f3cb2c63e
-
Filesize
1.8MB
MD5a7a231ef5b7166696111b8b2151f0b2c
SHA14ae6e23e6a4c23dc421775a7a55f2329aa975d5b
SHA256c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d
SHA51227756ffd4b67dc8034ef3d168fae3ba042da75ad7a5a530764bfd9418c8ed79f9b1edf056633e3d0d89c974a57e704a11ea923bed13e81e0beefdc43f1b7fb15
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin
Filesize17KB
MD58d57fa5aa1cfe9b932aa931c3cc291f0
SHA1ecfd102f53b77c47b79ec53a791c7c003b0219e3
SHA2562a05cc0df37e0335448413af6508c7ba727f6907d5fb0b255624a89bcef3eb64
SHA5125574df51302cbda8d065d2c5f3867ddc71b1f262a65ba7d6d7f4851778c6880249bbe26109158499f9811cd34112d183095452b2af3f69892c56ece351f24f24
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin
Filesize12KB
MD5ca20f928bd38f4d22f33b035bb292d4d
SHA1d99bed3055057177784584ea61313ef069f98497
SHA256f3cef16f1ec3b5bce7f3f0048898dcfbe65e6eb90711c91a0b5f190ab44358db
SHA51282e111433bcaf5916bf801c3c936acb6fd0252d0bf6a3139d7b482238aca158bca80ba6156a2a45c315fe1599c2275a855d1d360b6f1870be0c7159dc57d81b0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD509476edcc957f3075a249b020ce4bdcc
SHA1e8c67c7c71089da8a3d79b406ca84251d5bb9eff
SHA25675b5f3f7062473a2abe306ec12b06e32d9ea9ff70167bb0f8d1200cacaa00dbd
SHA512f97875281510e243eb0a918c1d510be4c989c62444bab95c7122701c6cccd475be7ed7bb09009b238cb9408cb88ad783bc9598d294e4ac4eb24a70e8a8e3f9cd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5d9418dc76083f658667a859718766bd1
SHA10af40ab41621ed28a878123dfef3cdf1cf17d295
SHA2564ed980668b16aa81adc4216d2f65edb0b250d25771ccf639c47b4b7bc3ad2977
SHA5128fa5d185a9f74a6d09cc431eec85f1fe2e6ccac9ce9d975a6a26924c49e5f44356af382392e4d0d9d5574f5403084cacefa05225efcd997d764b350a47ba8de0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a4f2a5ec5c1135e0a7c184930f5ff68a
SHA120e15c9d66a6b1a50d25cb5999c8b6e48ffda20e
SHA256fc70d9af1ae5f1a5ff93ebfa81879d278914c7c150068db4b3c17380494e02e7
SHA512b714ad22d756a6f15d8148b56fe0fcfc15befc8e5159693b87fab3faf807a53e7a4ef193826dcd3be7a0d4266d7a3899ccbe1272c7afdb481ac73c47857b9272
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\2a93af1d-b134-4ae0-83e3-3039160c0107
Filesize982B
MD5aab0dd196b1739e8043abd6ece4072e9
SHA12d7b98000fccbe6cc269583d567e3e17e3e8cad6
SHA256e13930b6d7b7445132dcaae5cfc70cb9d0473a2b219f925aa39f73edae90a0d3
SHA512892c34ba2b596e7ec9a3cddfcb7179e2399663e1433010741f95166a64999e80dd4b054bbc1009b8b3fe446613efb8acebd1b6fda4d590fb5e80951377cea012
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\4adfc75c-4da9-446c-9f9a-cdf9b4e5cea8
Filesize671B
MD58540ef4b765c977aca154e66d760d2ed
SHA1be4cc426518a61eccc49f3b4bc2a38b7378dcba1
SHA25676fd29a832ecb7be3b9c7a546205cac3f2522b25794007b193cedb3eeef7310f
SHA51239bb1b0d669772e43934f34fcd63ffe2ab43f9dc7ea8823d4edf355c1205415c5f17b2e46ec6af39b8f399cb71b77c264d6c143363c0241395271a059bc9945a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\d56b0b07-2bbf-49f8-a9e3-6429cf3593fe
Filesize27KB
MD5044228c23afb3b6f560c03e4e6fada36
SHA19e4b9b86eee605fe2f2867e6948537c13db2b9d3
SHA2564870e400002cc7227174b2e7cb3a979dfeb2512e7937f7c006cb0157bc5adefb
SHA5128bbcd2fb27cffd7b31740c9d14de8a0460f8e9370b684f492b7954168ae1d4dd5377c361804fc465687a012eee0e47d6e5960398cd42638626d6175f0baa427e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD5a3fb8dc2bbcd20226447f11f434d6e55
SHA15484a7ee5661b4ed5f316a1c3f69395078434096
SHA2561ac39e7968433a7a2c9dd0b0ef937d3e5c250f7a3f80e922a91a2d8357e0c562
SHA5123f54e6d625da1d7846af31f05cd01141c28cc85073a870a43ee08a5058bfcadc0ef7bf7d43706ffdd1841d6c312d91a45cc122bcdadcc658979760580f0d24ed
-
Filesize
16KB
MD51dcca2ecdbed77490dbc5eb4db62481f
SHA1f1032fff5ce2aa415a0b715434a4c6a2e233107c
SHA2569d38cfd7dfb5fb6657a26d98f67d91bd528fb186fdc940da8ee88b43418ae82f
SHA512c12c2a821304d7c06a1052572861e66f25ebd0bc6e7d79f9c808ace58e7784b833fa44657d035252eeb2dc6a1bc9a90af634a6bce3f146a1c912a96c55ebdddf
-
Filesize
8KB
MD543f44d4e5d7197d093ccfc56713464c1
SHA115dc6eb40ac53644d491018e0f7f42d04a7f9fc4
SHA2568e4c316cabe75ef73115b4f22ca6bd59fdaf5604643643efd85a3ccb8fedddd1
SHA51203cdc90c347a31ff4423a7b570efad4ddb5aef18872157bc0a03e5c78c898d4140814f77b1764a039f17689cf8e5f34a10a15d4eef9980d52e29b39ba7dd5b8c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.5MB
MD5db5e2366b7caabee207286d5d3790a1b
SHA18829687e15d8a2327bf1bb3f6ce73369f305d98e
SHA2569245c50e2df5757a5e2cca79889f7c0e6327cde770a905cb1de103264ac9d7e5
SHA512505bceaa6bc111a274d4c337ba2506cea7c5259088ea47a1a8a7f71f87591a030856051b8677afe945b93adcd173ff09b28848baa2634770d58d7b88ec7ca908