Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-07-2024 21:39
Static task
static1
Behavioral task
behavioral1
Sample
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe
Resource
win10v2004-20240709-en
General
-
Target
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe
-
Size
1.8MB
-
MD5
8c6765fe39a0cf9b8c2ed1fb8649be1c
-
SHA1
1308a16f47a014b4fe35573d944f69629fbc1255
-
SHA256
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
-
SHA512
c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87
-
SSDEEP
49152:OumpRLWrfLQ/QeXgD2LWd3U0yze5ZQILCDNci6uX:OumuTCy2L1ze9Sz
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
ECGDBAEHIJ.exeexplorti.exeexplorti.exed86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ECGDBAEHIJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exed86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exeECGDBAEHIJ.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ECGDBAEHIJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ECGDBAEHIJ.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe36b89c6000.exe3a436aa627.exeECGDBAEHIJ.exeexplorti.exeexplorti.exepid process 2952 explorti.exe 2148 36b89c6000.exe 3304 3a436aa627.exe 3196 ECGDBAEHIJ.exe 2772 explorti.exe 1408 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exeECGDBAEHIJ.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine ECGDBAEHIJ.exe Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
36b89c6000.exepid process 2148 36b89c6000.exe 2148 36b89c6000.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exe36b89c6000.exeECGDBAEHIJ.exeexplorti.exeexplorti.exepid process 1104 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe 2952 explorti.exe 2148 36b89c6000.exe 2148 36b89c6000.exe 3196 ECGDBAEHIJ.exe 2772 explorti.exe 1408 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exedescription ioc process File created C:\Windows\Tasks\explorti.job d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exe36b89c6000.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 36b89c6000.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 36b89c6000.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exe36b89c6000.exeECGDBAEHIJ.exeexplorti.exeexplorti.exepid process 1104 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe 1104 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe 2952 explorti.exe 2952 explorti.exe 2148 36b89c6000.exe 2148 36b89c6000.exe 2148 36b89c6000.exe 2148 36b89c6000.exe 3196 ECGDBAEHIJ.exe 3196 ECGDBAEHIJ.exe 2772 explorti.exe 2772 explorti.exe 1408 explorti.exe 1408 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1748 firefox.exe Token: SeDebugPrivilege 1748 firefox.exe Token: SeDebugPrivilege 1748 firefox.exe Token: SeDebugPrivilege 1748 firefox.exe Token: SeDebugPrivilege 1748 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe3a436aa627.exefirefox.exepid process 1104 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 1748 firefox.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
3a436aa627.exepid process 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe 3304 3a436aa627.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
36b89c6000.exefirefox.execmd.exepid process 2148 36b89c6000.exe 1748 firefox.exe 1192 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exeexplorti.exe3a436aa627.exefirefox.exefirefox.exedescription pid process target process PID 1104 wrote to memory of 2952 1104 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe explorti.exe PID 1104 wrote to memory of 2952 1104 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe explorti.exe PID 1104 wrote to memory of 2952 1104 d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe explorti.exe PID 2952 wrote to memory of 2148 2952 explorti.exe 36b89c6000.exe PID 2952 wrote to memory of 2148 2952 explorti.exe 36b89c6000.exe PID 2952 wrote to memory of 2148 2952 explorti.exe 36b89c6000.exe PID 2952 wrote to memory of 3304 2952 explorti.exe 3a436aa627.exe PID 2952 wrote to memory of 3304 2952 explorti.exe 3a436aa627.exe PID 2952 wrote to memory of 3304 2952 explorti.exe 3a436aa627.exe PID 3304 wrote to memory of 3664 3304 3a436aa627.exe firefox.exe PID 3304 wrote to memory of 3664 3304 3a436aa627.exe firefox.exe PID 3664 wrote to memory of 1748 3664 firefox.exe firefox.exe PID 3664 wrote to memory of 1748 3664 firefox.exe firefox.exe PID 3664 wrote to memory of 1748 3664 firefox.exe firefox.exe PID 3664 wrote to memory of 1748 3664 firefox.exe firefox.exe PID 3664 wrote to memory of 1748 3664 firefox.exe firefox.exe PID 3664 wrote to memory of 1748 3664 firefox.exe firefox.exe PID 3664 wrote to memory of 1748 3664 firefox.exe firefox.exe PID 3664 wrote to memory of 1748 3664 firefox.exe firefox.exe PID 3664 wrote to memory of 1748 3664 firefox.exe firefox.exe PID 3664 wrote to memory of 1748 3664 firefox.exe firefox.exe PID 3664 wrote to memory of 1748 3664 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe PID 1748 wrote to memory of 3172 1748 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe"C:\Users\Admin\AppData\Local\Temp\d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\1000006001\36b89c6000.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\36b89c6000.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECGDBAEHIJ.exe"4⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\ECGDBAEHIJ.exe"C:\Users\Admin\AppData\Local\Temp\ECGDBAEHIJ.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AEGHIJEHJD.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\3a436aa627.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c52f1e5-1fb9-48f2-baf0-eca4fc046135} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" gpu6⤵PID:3172
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {418cf5f1-a175-483d-8ae7-956355ffc0b7} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" socket6⤵PID:1036
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2952 -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2872 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97dc4f10-a52a-4957-882f-42efe3278b6d} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" tab6⤵PID:3884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3800 -childID 2 -isForBrowser -prefsHandle 3792 -prefMapHandle 3416 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd746f1e-6ab3-4c8d-aae4-f8b45d8d42eb} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" tab6⤵PID:4128
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4536 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2764 -prefMapHandle 4472 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7e654da-45d1-4821-834d-529c21efa911} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" utility6⤵
- Checks processor information in registry
PID:920 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 3 -isForBrowser -prefsHandle 5676 -prefMapHandle 5680 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcf82f7b-0041-48c1-92c6-0a5cfb57a14c} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" tab6⤵PID:1564
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 4 -isForBrowser -prefsHandle 5816 -prefMapHandle 5820 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e775935-c4b7-45f4-ad7d-1d8035d8e11f} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" tab6⤵PID:1464
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5996 -prefMapHandle 6000 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf07e4db-e8ee-4f6c-8fce-2b58d3dbdb42} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" tab6⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2772
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD502e8e0ed6e98aaa3bb4a7f474a676b5e
SHA1129e6ecba79aa425f2ba8457aadce007fe25b0e7
SHA25687211e9111be39ced551db13cd8bc81987654e80e37f7cf1c1509f2366e8483e
SHA512e73aa8d05a77f590a69dff79bc79de2e42899cb1c784c1457d7221c38ece0732531a7ffefc091204db156254463a855c607d1e103dc05e2a6d32937f0619981c
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD52f117db5b20f8f31cb7a0e7e2cf00fd3
SHA17f8bdd370ee9c819f9267c59d7c161042cd869cf
SHA2566536839200468d165395d792be97321cff7f3c1e465384f6557ac45cb8bbf082
SHA51292f7c2aad9af839744004fb3c2a9ed7a12ea63b5102136f81dd61328b6b3c19900d1bb1a142fcdeeb14dfc29daf58b2c8777958a4bb510639add014f6a72c1ca
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\cache2\entries\558F8F9C33CCBA6CC64740164FBB23EBD5D2F029
Filesize13KB
MD5901479af599ee7034267e538f5b727c6
SHA13a98e6ee95001f563adade11ce9ad0aca69c6e48
SHA25660d1491120cd2f6f4608b4faacff692b1756363bb825e4cbaa2e4711c6513295
SHA5127c95830d6458b55f7a8c60528cda7fe72560c7afeb1740fed68a8dac8e8051aa7c630346f094950f48128de4bbccc80641d9939053d1f3cde5b89eca029333db
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5dc0443e238b7ee9b79e9f933b4279314
SHA1d808a6dcb5a1fe0465a42f1519fdd057f7392926
SHA2565636ce4a9c44c88c088cb08183cd9e42b4892c39d6d5092d0ded3a206b07ea07
SHA512622616c4668e5a232012785fd1efc1cef0343ea5ec317e840b44175b725c3ca5519e9fb61d3cfddc815b9a5b196f56b4d5942f22b9f862f87b74f3114c01ce59
-
Filesize
2.4MB
MD5b6bf96c3900b28a9970323938a1752bd
SHA1fff9ac5ee2a9849759bf02538f8a431738a894c5
SHA2561013ef0d12658680241090322d56cbfd6ad665fd922049180184c3fef077a506
SHA512475848394c20823bf0c05f3d66ff27422b22670babde769f936791881d0da800cadf3ae08e0e99fe0a85abeafaa072672575d020de9267d87142047c1e1033ec
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD58c6765fe39a0cf9b8c2ed1fb8649be1c
SHA11308a16f47a014b4fe35573d944f69629fbc1255
SHA256d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
SHA512c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\AlternateServices.bin
Filesize12KB
MD55ddff2cba8a883521efe38578f314276
SHA1fbe4cb49e1e665ff990684af6517a5c04f9b5655
SHA25637efdbadc33353eccba6b89cdd91c0ebdb10db9546f8a88bf899f8beed79503c
SHA5122c0ab51bde3e73267071a8c96b729f40ab4513128cd3e901b62d4fcda32df2a3a0095a0b335cbc7d7940a9cbb2ef2780bb1fd2db7d7f973ec91190689b91540e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5a57aae6e2823a65e31bd56d87cee6fd4
SHA192560547ccc8ba97e216c697c0d21dc008d8c70f
SHA256fba3d8453dab49f8f3ff7cbb9e435bf03c0eb3caa78cbec871de058dd4588c59
SHA512132e941da16c16c739ee7bc0b87b146f365a92e91042c0a5b890407e07a39f138f1826105a675520923a908125261eaef8e4d59817649c6290437cbac806d2d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5b5d0b389a47f7fcfaac901e2050069c3
SHA183ae7bcda80be0330d366bee77953c7d69d6133c
SHA2569366bbecc716941c500f122198bc623fef38f7709ce093ca80e24f835ff898bc
SHA512132b80aa59679af33f7a2fa079c433d2ac916da730b81611f91317e28e30d4bb39560b41b4c78fd54d3d651244f0f8c0aa38f0e947d2a2235ae0c2d24af4198c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5fe0d8457465628fea1bc2b442dc90dbd
SHA1b3e1e7d884517baf55e72493eaedae3abb72ee2e
SHA2562f411219cbe7f4652b53230ffbc2fcacca04aa7cf7304387ce455014dc8e39b5
SHA5129430d75d06a1a2d982993e3e01207b2dc4be352e16450a8e95719bd64dcc31c98c996626ed0e86365b6557182fdf1d41125963ea2bb41ea26db9e21c20f2f294
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD51c14352fc114209052a204bde18d49e3
SHA11970dd315dd81cef7d902816439e7c8da944ea27
SHA25693f115f6aa7f9ea4fd8aec47ad36e2b4fdbc486012fa49fbc69a5d5fdc52138f
SHA512ed0e50f169583141f5a56c2f475f8e0933eb189e1a5bef8e1657bd6c0911578c550e23c9c8893eb20802e77fb09af93d8336cd322fe920811c5879402dafad6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\pending_pings\611dfbe3-7767-4c34-8987-d27b9c9cd1f4
Filesize659B
MD5b2932c4d15e8cbde29af4a3ae0a18beb
SHA15ef363d7a273df5f2c60c989cb1a6c0814a0e0a2
SHA256799312ecaee0bf107fd22ea91ac7476de79bdc2ea042a90d13d3d6fb869b8303
SHA5124ba4792c93f8824529464c1c5750627ee2bcd25cdb1429144f28239867d8cb7f546a869698b7b5b986584926c0586fd0549a7c21fcb40a813862bc43d70130c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\pending_pings\837fe9fe-b1c8-474d-a9fb-fcd6a0554fb1
Filesize982B
MD5a85c163e96f62fed049fcf9c176b93dc
SHA12c82694212400931503afc32b519a22d49078e56
SHA25652a48f27cf75d8c28ba4a8dbb7c1051c46f02540f4139b26f59a84da2bee42d0
SHA512bc285cc79f2128aaee6c4f9b98ea697a25b8e831950bb37ff6c4a7feb6a305ce7292ec3fbaeee2b835172570f25a1252b2cec8401f70a1613c4bd66feeb46e3f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
8KB
MD5ed184aad95c4054c9450efb801a0f3da
SHA1b4cc34bb76d9adae0e183bad45de1c24080dbb14
SHA25653ad8865dde871e77ebec0293306c0cca5ad899b934c2f152928289d6ba34ff9
SHA512cfeb8fbb48862bdc38952f3a61c958f0559ff6b084f3928b19fc904e3ef9b54577313cd25300bb51a4126e50ab817ff27edd35bf429e9a412aa4d250ff56a836
-
Filesize
10KB
MD54767d7369a106a33b883263c04a56f74
SHA19734fe60a2d708182921db40c520ef8c02187ba9
SHA256526b0b28527e9ac1fabd4af6c58e5348ef958d25b97023c8279f440d33ef59d3
SHA512f7b119c9e878061a9b84ad883094c9ad87394ae22dc54fd1883f87a3b8b4dac1426fb7392854633aa188d9fd0fa18d320a1741c434cc1aab7f80add2e4395854
-
Filesize
13KB
MD517b01c1b8946bfcb030a8bf5f4d613a5
SHA1831c9bb7c403c5e47e54d445038ba14d95bf6c66
SHA2560a732bba25a901807942c7c41703cb5b3e791a7f7e71b5526713fbeac8a236aa
SHA512c3e3bc3be47af594350cd8fdbf43bb6bc33edbfc94cac3d92125ffbfe06a59c3a6d44e26eb24fba8c1cdd119b8d0d7256c76ac6ec3742bee1f450bae3cd93dcf