Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe
Resource
win10v2004-20240709-en
General
-
Target
234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe
-
Size
1.8MB
-
MD5
89168ab28e036a943a182f48d4a224e0
-
SHA1
ca77a0fccf454c9b890d59c4bbbb9b0f75ed4067
-
SHA256
234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f
-
SHA512
9c365997be6c0aede04b6b25754533c5f7d5ea9c3be9adadcea0154282b48518a51c236681d4ed36bafeb69a074cc1d4667c5a68418e630b1538f960b00ba801
-
SSDEEP
49152:iuvNX0qKMczZXXveeIitGton9krJCEaCNjxSU:iwNX0yczZXXmnitln9krOg1
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
sila
http://85.28.47.31
-
url_path
/5499d72b3a3e55be.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation bbb4c96814.exe -
Executes dropped EXE 6 IoCs
pid Process 1820 explorti.exe 3332 d7586d80ec.exe 3652 explorti.exe 2900 bbb4c96814.exe 5152 explorti.exe 5324 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d7586d80ec.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\d7586d80ec.exe" explorti.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbb4c96814.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000017001\\bbb4c96814.exe" explorti.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2900-400-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-418-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-425-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-471-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-1148-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-2579-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-2625-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-2632-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-2635-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-2637-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-2639-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-2641-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-2646-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-2656-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe behavioral1/memory/2900-2659-0x0000000000300000-0x0000000000DDA000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
pid Process 760 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe 1820 explorti.exe 3652 explorti.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 5152 explorti.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 5324 explorti.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explorti.job 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1072 3332 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7586d80ec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbb4c96814.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 760 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe 760 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe 1820 explorti.exe 1820 explorti.exe 3652 explorti.exe 3652 explorti.exe 5152 explorti.exe 5152 explorti.exe 5324 explorti.exe 5324 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3016 firefox.exe Token: SeDebugPrivilege 3016 firefox.exe Token: SeDebugPrivilege 3016 firefox.exe Token: SeDebugPrivilege 3016 firefox.exe Token: SeDebugPrivilege 3016 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 760 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 3016 firefox.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe 2900 bbb4c96814.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2900 bbb4c96814.exe 3016 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 760 wrote to memory of 1820 760 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe 85 PID 760 wrote to memory of 1820 760 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe 85 PID 760 wrote to memory of 1820 760 234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe 85 PID 1820 wrote to memory of 3332 1820 explorti.exe 90 PID 1820 wrote to memory of 3332 1820 explorti.exe 90 PID 1820 wrote to memory of 3332 1820 explorti.exe 90 PID 1820 wrote to memory of 2900 1820 explorti.exe 94 PID 1820 wrote to memory of 2900 1820 explorti.exe 94 PID 1820 wrote to memory of 2900 1820 explorti.exe 94 PID 2900 wrote to memory of 964 2900 bbb4c96814.exe 101 PID 2900 wrote to memory of 964 2900 bbb4c96814.exe 101 PID 964 wrote to memory of 3016 964 firefox.exe 103 PID 964 wrote to memory of 3016 964 firefox.exe 103 PID 964 wrote to memory of 3016 964 firefox.exe 103 PID 964 wrote to memory of 3016 964 firefox.exe 103 PID 964 wrote to memory of 3016 964 firefox.exe 103 PID 964 wrote to memory of 3016 964 firefox.exe 103 PID 964 wrote to memory of 3016 964 firefox.exe 103 PID 964 wrote to memory of 3016 964 firefox.exe 103 PID 964 wrote to memory of 3016 964 firefox.exe 103 PID 964 wrote to memory of 3016 964 firefox.exe 103 PID 964 wrote to memory of 3016 964 firefox.exe 103 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 PID 3016 wrote to memory of 1168 3016 firefox.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe"C:\Users\Admin\AppData\Local\Temp\234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\1000016001\d7586d80ec.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\d7586d80ec.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 10124⤵
- Program crash
PID:1072
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\bbb4c96814.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\bbb4c96814.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1892 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb932280-141e-434c-b11d-b547b8d4a120} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" gpu6⤵PID:1168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {601415e0-64dd-4c7b-bc89-085a9bc4fcc6} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" socket6⤵PID:1136
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 1 -isForBrowser -prefsHandle 3204 -prefMapHandle 2716 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1160 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {347e7b55-fdfa-4881-a567-ae39ca5b9de2} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" tab6⤵PID:2304
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -childID 2 -isForBrowser -prefsHandle 3852 -prefMapHandle 3848 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1160 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25121a66-b414-4580-9ad2-d1aa72df3e99} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" tab6⤵PID:5040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4748 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4740 -prefMapHandle 4712 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19dc3d5a-66a5-4ba6-8f05-6773d9e1f2c7} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" utility6⤵
- Checks processor information in registry
PID:5584
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5304 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1160 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d621ace-1bfc-47b8-b6d0-f6d59b9b8e9b} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" tab6⤵PID:2440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1160 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df2d242b-ea9e-408f-b7bc-6e7ec5f55e4f} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" tab6⤵PID:1036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 5 -isForBrowser -prefsHandle 5620 -prefMapHandle 5624 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1160 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3712a8c-6104-4a1f-b3ce-353c3c6b5c57} 3016 "\\.\pipe\gecko-crash-server-pipe.3016" tab6⤵PID:4288
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3332 -ip 33321⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5152
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3mrom4gn.default-release\activity-stream.discovery_stream.json.tmp
Filesize21KB
MD5d8c038ced7a05231910d20e7113eaec3
SHA1117494c5a3546acaf572150468b6d07cc6055593
SHA256f0c8daaf7f66647e96a2ea12ac41e1340fd4928ef64ce588dc6fd6a0bbec20c6
SHA5124e059abd5857610a12e87cf90fe4b71aed2761300cd48e4632b0c5018c493ce92b5cd0c08056f76892a896e2d39afe697250214285a7f275d36f7dfb437cafff
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3mrom4gn.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D
Filesize13KB
MD5740e9df0b6995e80e96d8490427c399d
SHA1c7d44c15bde334b945f73e38fc82b633140339c8
SHA2561643b33a944af69c6f41717f5660110e1c5b2054ca08bf5ae5e04db673516772
SHA512a958a0cfb40751f16925129e21a0b37377f5802d0873dad99e224427661a7c3c59d3e22cf3532b90122825a7edf352b919814b87e47ed28b64e9a59d3fdefad7
-
Filesize
1.8MB
MD589168ab28e036a943a182f48d4a224e0
SHA1ca77a0fccf454c9b890d59c4bbbb9b0f75ed4067
SHA256234be80f802a098bf02f66f9fa615891f5f8f959f596fc36cd5a712931f4123f
SHA5129c365997be6c0aede04b6b25754533c5f7d5ea9c3be9adadcea0154282b48518a51c236681d4ed36bafeb69a074cc1d4667c5a68418e630b1538f960b00ba801
-
Filesize
249KB
MD5ebc8f43dcc2603f259f5f6f91a71f066
SHA1b1623ce92d4eff62ab7d091bd931c462fa4dc923
SHA25668cb1f36034e6d64e8828388d01b6a714db7b5677307db58867b597e08779ad9
SHA5124c5678f0a3b58c03503e912431988d4476699e1e9a9d98ce70ba2d9eeba1ce67b086c082eaf8931750309bf0d95ac5bff9d2684381f733ea0e4db2ed13913734
-
Filesize
3.1MB
MD5c5309332fef9ea71acdb3dab07c7ad7e
SHA1ebcb751a6c0720a07634dac872533603fb2dd32a
SHA256586e9d4887364a0d972bbac398aefc03210907c77785d9c30dffc0d5dcc85f28
SHA512ef8d9b7292498ff22fadeed1c476ccc895c6709fa150454c718287044e99df095bc09aee6464faa4c2567fd91d8fe556bbe7c5954bdfde7aaa4fca97690f055c
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\AlternateServices.bin
Filesize17KB
MD53769f351bfaf2f7c11e08770becddc5e
SHA175bd4d97f3df7e823366712400be2ac9311c4aeb
SHA256ea542ce566b23b1f1cac7cd9c53d5ea849b5733f950df3ef99e999a61155a26b
SHA512c482b6c83518f1487c3f312979a96b768b5ab4e0c41a74b43c0176ffb11ee0aa252343643df552bafa55752080cb06e32c20abed5e4d3e01298a1679c1959fdd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\AlternateServices.bin
Filesize12KB
MD5f07cc54d18d112c13a68f1878bc6f590
SHA1e892a0c3e1f78102d6dc2b9872c60b550247b040
SHA256e4aca9b2a83a724d5c8929e33a7f5c4fe9aa7f93164b500d3845f2acf479db37
SHA5125ed6855efb189b53d6780da8d94b74f4c1d0b26d322c7f316d67b38bc4ffecedca0cb8f90a9746f309378b33e0c11c2d522aceaf8025bbd1129823943faf8137
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5c4e140fb194050db9860e9c5c47fc409
SHA139561dac7cfce95e763004022d55eacc9dc3daf9
SHA2568d3a06702f101740e5d484819fedfe46caf29647d03e0aa8611817af7cb3837a
SHA5126bffbb110d84869745e8375cc3a669d039d2e70c264dde6ceecf09d302379712a2298b034c4eeb1657d35a8717e174105a90f29bf8084ee261e166ee951c0aab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD514f7b6aaa701d160c646a276e42b25c4
SHA1bdcc4bec5cad34346dc5363339201e8fa4f4f707
SHA256b7ef62db32116a923e35b8f49c70873346b7d818add36f751d1141c4a2cf1e70
SHA51228e9087e1487e607a3ef8488c9c39516dc6af562055f4090d66c0657047e474bd317a04dc43f7a59c404db8406f5e07ea688b6cca60a0e37ec40df081f8307d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\7424dbdf-2a8d-4c03-aa4e-604b176fc9c0
Filesize26KB
MD567064a7387f97d5d06755160c01df2dd
SHA178248595d66618f8dee2057ca877bcae3e90bb5e
SHA2566205671adc615d5790f96397eeb2a037ed923ff30d384972ce9d3c31663d2764
SHA5126f678e8bdc8f4a934b480e667b003553190df3a84efea6029f78ef8e88377e80e3a9563b83642450d14c70e89288a0ba814c31b2b2911a6337936b739b24f608
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\be70b5be-332f-477c-8a5e-c09ddf4c608e
Filesize982B
MD5c7385b15fc98e81644c26cc5329772cd
SHA12d52cd1472addd131476a8a0b1f3d7911016fe86
SHA256bd54c83c260d79abe57be1e52952326dca5e1d8dd64ea278c48f3d879cd28b15
SHA512e51ee531e78c69d0100770985b257c3bba495ececf8f6f96f25c2fa09b2d45ce388adcfcdfb2bb85b522fafd7bea7ffe7ebfc6cdc569900c108f3e60d5ee7fd3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\dc597edf-59c2-4867-9946-6377015af339
Filesize671B
MD54f67b2389062ed79b7b7166602aadde9
SHA1dde3747a6b891219deb90852f9a4128233c0a0d4
SHA2565eb50a45eb5b70105e396d295bbcff8b3e8ec9ae58a80a8dc00b4f8a04ac6aa6
SHA512c78dcef7ca7f4ad1b58db6b456e02cfdfd6b744815e1ac3ee013fcd56082016d09b899d500dcf376dab6cd0ad21a716411bc668f1b161bbf669e88634b57ed5b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5825afd8239262eb5c744cacfdb3b3164
SHA1bcfd688cc91e59d8ec74730cb7f768bcca58ff4f
SHA256cc82ad3b58b1244e59b96455b80fab581a64f1975365e3ffb354f88dc9b0fe2b
SHA512283e31d188c6e7d7299472fed2755d79a260645fe1765fc34c42ccb0d01dd6630f09d32adb38bbae8e5eb0e37efe5f37bd1ab2944a7961180d7e4306e92c9a39
-
Filesize
12KB
MD5a3ee1975a228e189bb663cbfd81e5c05
SHA151ae3374cc8bd59f26f2ee9ff2b61bc89c39bd6e
SHA256d70b410bdbffa47da452b7c5ccf29e39bcae9c9a6aa66903795d410e6ce10dab
SHA51249fc88d3d36ef29a0338e6a6f8d5ca90ec079a7d7a23a3f4dbca4a1f56004991db2001bc6f4c2d919ff0253da5f79dd7c91a7f6ac7133f36545151d288273c71
-
Filesize
15KB
MD59f2703da7c78e59c1c8a8f6df34ed1f2
SHA17d822eab015240621ecee6983fd48db71c447882
SHA256455bd51d047acb157edb5ae495ad9fe40ac905314b79c0a82418c813d45d6dce
SHA51267d820294e16caff7683d5388091c5053d341d64e760987c7ef4f71780d8a3351187cca06f53c56870f8a11a9bbf712ee73266c851cda3a285530c46f9480076
-
Filesize
8KB
MD5f5d55bf97a0a4fe19eaaed5cddbd1245
SHA1612355ab8cee97db3e7e2d247b6fa3aabbc64d43
SHA2567d95c9b1b380de9ed933b9d631c3394db0895f19113a08eb800fa186a62cd9a7
SHA5120cee8d10a026edd2177bb921e4bdc18bac9772ba87bc68cf6877c819420665ffa36e349eaaefab2e3faa418ba96c91e389aed259a623b9607b38b874b6d15223
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.6MB
MD563fec045f1be80a144da108557368fec
SHA1408e58b5f70246592369da8223cb3505243cf9b4
SHA256e2275bfc46009a3796c5915ae8b4c8733bd36b16793a81c483f019f80d088a5e
SHA51251c9f971cc34467c54754590bd2a114872d25cc6e67789f0952ff7b70d4fb56ca165ee76d8d15c844d508774b13b1ed59ecdfdd701b564c1b3b08cb0a4da1492