Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-07-2024 22:44
Static task
static1
Behavioral task
behavioral1
Sample
783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe
Resource
win10v2004-20240709-en
General
-
Target
783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe
-
Size
2.3MB
-
MD5
e43a0ac327404f3008b679e0b1293c6b
-
SHA1
9a2461c520ccc44840c1bd041467ce084dadab51
-
SHA256
783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913
-
SHA512
804d187c5b62ada2a6d9ad922ce7042c66a0e2110b2cac7c223fcf37b0af3e514bdf37d08eac83972c21968833cd563bc3eb6099ed95df01e45039078b36d58d
-
SSDEEP
49152:LkYIJsBoDjEdjeXiaTwfqvASVk9yTYn8C4S5gioYgwm:NZj5aqq9ay+NpE
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
KEBFHIJECF.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KEBFHIJECF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
KEBFHIJECF.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KEBFHIJECF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KEBFHIJECF.exe -
Executes dropped EXE 5 IoCs
Processes:
KEBFHIJECF.exeexplorti.exeeeea85c6b1.exe0ab60d16e4.exeexplorti.exepid process 3008 KEBFHIJECF.exe 4828 explorti.exe 4400 eeea85c6b1.exe 3616 0ab60d16e4.exe 2108 explorti.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeKEBFHIJECF.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Wine KEBFHIJECF.exe -
Loads dropped DLL 2 IoCs
Processes:
783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exepid process 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exeKEBFHIJECF.exeexplorti.exeeeea85c6b1.exeexplorti.exepid process 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe 3008 KEBFHIJECF.exe 4828 explorti.exe 4400 eeea85c6b1.exe 4400 eeea85c6b1.exe 2108 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
KEBFHIJECF.exedescription ioc process File created C:\Windows\Tasks\explorti.job KEBFHIJECF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exe783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exeKEBFHIJECF.exeexplorti.exeexplorti.exepid process 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe 3008 KEBFHIJECF.exe 3008 KEBFHIJECF.exe 4828 explorti.exe 4828 explorti.exe 2108 explorti.exe 2108 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1424 firefox.exe Token: SeDebugPrivilege 1424 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
0ab60d16e4.exefirefox.exepid process 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 1424 firefox.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
0ab60d16e4.exepid process 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe 3616 0ab60d16e4.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.execmd.exeeeea85c6b1.exefirefox.exepid process 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe 2244 cmd.exe 4400 eeea85c6b1.exe 1424 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.execmd.exeKEBFHIJECF.exeexplorti.exe0ab60d16e4.exefirefox.exefirefox.exedescription pid process target process PID 3748 wrote to memory of 4232 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe cmd.exe PID 3748 wrote to memory of 4232 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe cmd.exe PID 3748 wrote to memory of 4232 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe cmd.exe PID 3748 wrote to memory of 2244 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe cmd.exe PID 3748 wrote to memory of 2244 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe cmd.exe PID 3748 wrote to memory of 2244 3748 783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe cmd.exe PID 4232 wrote to memory of 3008 4232 cmd.exe KEBFHIJECF.exe PID 4232 wrote to memory of 3008 4232 cmd.exe KEBFHIJECF.exe PID 4232 wrote to memory of 3008 4232 cmd.exe KEBFHIJECF.exe PID 3008 wrote to memory of 4828 3008 KEBFHIJECF.exe explorti.exe PID 3008 wrote to memory of 4828 3008 KEBFHIJECF.exe explorti.exe PID 3008 wrote to memory of 4828 3008 KEBFHIJECF.exe explorti.exe PID 4828 wrote to memory of 4400 4828 explorti.exe eeea85c6b1.exe PID 4828 wrote to memory of 4400 4828 explorti.exe eeea85c6b1.exe PID 4828 wrote to memory of 4400 4828 explorti.exe eeea85c6b1.exe PID 4828 wrote to memory of 3616 4828 explorti.exe 0ab60d16e4.exe PID 4828 wrote to memory of 3616 4828 explorti.exe 0ab60d16e4.exe PID 4828 wrote to memory of 3616 4828 explorti.exe 0ab60d16e4.exe PID 3616 wrote to memory of 4452 3616 0ab60d16e4.exe firefox.exe PID 3616 wrote to memory of 4452 3616 0ab60d16e4.exe firefox.exe PID 4452 wrote to memory of 1424 4452 firefox.exe firefox.exe PID 4452 wrote to memory of 1424 4452 firefox.exe firefox.exe PID 4452 wrote to memory of 1424 4452 firefox.exe firefox.exe PID 4452 wrote to memory of 1424 4452 firefox.exe firefox.exe PID 4452 wrote to memory of 1424 4452 firefox.exe firefox.exe PID 4452 wrote to memory of 1424 4452 firefox.exe firefox.exe PID 4452 wrote to memory of 1424 4452 firefox.exe firefox.exe PID 4452 wrote to memory of 1424 4452 firefox.exe firefox.exe PID 4452 wrote to memory of 1424 4452 firefox.exe firefox.exe PID 4452 wrote to memory of 1424 4452 firefox.exe firefox.exe PID 4452 wrote to memory of 1424 4452 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe PID 1424 wrote to memory of 4856 1424 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe"C:\Users\Admin\AppData\Local\Temp\783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe"C:\Users\Admin\AppData\Local\Temp\KEBFHIJECF.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\1000006001\eeea85c6b1.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\eeea85c6b1.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\0ab60d16e4.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c0f40b7-66e8-400a-a033-b677b1104667} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" gpu8⤵PID:4856
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12c59e7e-1b05-4f35-97b3-fca6f43bb5b7} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" socket8⤵PID:1596
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3268 -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3256 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {619b7741-5b81-4642-acd8-e8a26103d724} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" tab8⤵PID:1184
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3856 -childID 2 -isForBrowser -prefsHandle 3848 -prefMapHandle 3844 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {823c3056-0611-432e-93e6-04c2d92300e0} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" tab8⤵PID:784
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4708 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {858266f4-34e4-46bf-9906-f311cd8f4992} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" utility8⤵
- Checks processor information in registry
PID:888 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 3 -isForBrowser -prefsHandle 5588 -prefMapHandle 5504 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74ce866a-10e4-4c1c-8f27-3e64e61c1b06} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" tab8⤵PID:4500
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 4 -isForBrowser -prefsHandle 5820 -prefMapHandle 5816 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72da74e7-b6d3-4234-a354-2b30044b05f8} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" tab8⤵PID:4948
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5956 -prefMapHandle 5960 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1320 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d411d599-28e5-4ed0-a6db-e1981ca315da} 1424 "\\.\pipe\gecko-crash-server-pipe.1424" tab8⤵PID:2712
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFHIIEHJKK.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2244
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\activity-stream.discovery_stream.json.tmp
Filesize20KB
MD5751fc8c8739b847594b90d02611fb2fc
SHA10f14f2c0096ee7548b1a9229be1ac78d3341c009
SHA256bf0fac13b99d55aa8656da4997cdd728e82fff0e909b48782bc8c34977a510a0
SHA5123033def83c11490067026e37c4e6853d1aa7e69d0a3386d63075b4ecd32841e6f303a9e8a540e5da27a8ca7346260d0000face51e82086d694d3891ca79fa29a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD59dc91611a3bac0bb665853aced5fe43d
SHA143da1d979011904db6dc795c849b7bccab4129de
SHA256078d2938a2aa9cde2618d8e6d54c67299f6e4ad1a8f05fd9bcb769b19400a1ba
SHA5121afaae87beb50beea671269685d7200b99ada4391751919c2cb3349270ff96ded8cb03156e58e10b6aabbbb744b10c7a9e3c6432e0e8c0a558b94075b0c5c412
-
Filesize
2.3MB
MD5e43a0ac327404f3008b679e0b1293c6b
SHA19a2461c520ccc44840c1bd041467ce084dadab51
SHA256783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913
SHA512804d187c5b62ada2a6d9ad922ce7042c66a0e2110b2cac7c223fcf37b0af3e514bdf37d08eac83972c21968833cd563bc3eb6099ed95df01e45039078b36d58d
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD58c6765fe39a0cf9b8c2ed1fb8649be1c
SHA11308a16f47a014b4fe35573d944f69629fbc1255
SHA256d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
SHA512c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin
Filesize12KB
MD59d4b20c757216226a6527f8497a8f8e1
SHA13a377c62f1729836117859152216093eba0d4041
SHA256f5444789c98741f3d12ec323424fd36d4eab0ea1f30121821e61faf05192eefa
SHA5129180145c505dcf7e44b47466bf013904a1529f594e0c08a6731201e355a491d02c8d3568a4de5b603a77f794e319e0401c8419d49fb86492e48163827d7e9602
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5a9842afb008cadbe42b5c710eb33f7b6
SHA1056063dad03a35e517c1c7cbb4cb163a49b82b01
SHA256d604e8da86e8e5aa8ad638c2a57463168c026daf17e2cebed772e49f6908ab1e
SHA512d7781d0d1f3538b9d267cbd30b7adbe8b645f39704f0cf8624a21511703e7732e38697069b722f831f0808dab8acbf550ae28c70797eea0bf9496b6369841fda
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5f3c3cb7402aed31485f8142f0e1a25a8
SHA14cb0702439143b9b5b746c386fa793cf46c60e2c
SHA256e4a26944b2dfd6c8f32fc0dcaa0ab98d22a69c12d13f2757c7ae0b6ae5ed9dc1
SHA5125f972f49ac9ae3b746a55332d3b56cc03aaf096f362efb0bebfca906c87798830133915794346e0142f3e22ba6804750f69518db02c430d71103a320dd135ecf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD56883cf227a2bb2b576b8019e2ae9857a
SHA13c3bc6efa00fc18058aa38de73b2765b6a27aa25
SHA256639823f7acd6b99220085bd47f9aacef50bbefffd91777113f6f9d9dadb2d090
SHA512d60b83825bc377a38e69a162bcbb8c780ecc06690634999138ea75acf5d81d80287eb8e0fe9b0371d81f277f06c2bc3f5c74a8765530d6a683c3b691c943d5ae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5a5fc44cbe83ba74756fa8c9729102972
SHA1127c597c644e3f86d3e37b37f7bb7f3f395154fd
SHA2567caf905e613052ee8261075402d6d2fc891be9a942c88fdd577925d06dcf0b9b
SHA5126ba3c96dd3aed6fb3b1e01c52880c2dd863313f49a6a64a2b5b43f8a83e6f1e20d7abadbbbbd968fdbdcebd8d742f78998c3d37a3e6fcf3036b992d1b7b8e76b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5f22810c356d7fe0625835c6ca3d95a4f
SHA1fb58180f7f59192c2b2bd26974788a6bd3146932
SHA256f8ca9276c0ab44562c048e07ce4e701ae32b66a061912ccb076176537334dcdc
SHA512a782a846d8f44b858a50dc507987676bfdc0bff9e91e86fcf9254de75a0e7792d4e282086437e8c4c6d3b452332001d8127027acfe4d0b6f0bc543e8a29b9a29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\4e08504b-0201-44b1-920f-ec6f23e36d77
Filesize982B
MD5436b4664a39da460c7e17573b9a51fd2
SHA1823f866978185f96e73d272516395e1cf987a69a
SHA25685c72534fdd5e2c322de5f3f65f9865e3ed23314b5135fcca1e3022d7960f8e2
SHA512b3186db18757dc12ee4d06a38e35a41a4dd1338db0ee0772ba6820d0f0f9bd6a287c5a98b881a107eb0704f1a060eb7bd56e0eda976081d9ed4a90621af7c6b0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\e245a087-6865-493f-a39b-10a207b6b84e
Filesize659B
MD5a1a8d0290cff3f4ab13eab00f7587f23
SHA1b356e0bd3e81fa10cbb6c308cf8fbf852bd88fb1
SHA25664964c529473d208062d39286df7fac9f6309dc51be7c428b43388b55dd41c58
SHA51234667a09f1a768d1798784933710d775579b6545eee3e127a8acd9b37e483bdaf93648595337961b18ae11763f3c2e243c525d0287734bd4e57d5d0b15bde4d5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5328b05c2b42841899787564245269ebb
SHA1eab183acd2a9bcd45d3ffa7596f08a7663643edc
SHA256cf748c668cbb0f24d35dd631fd06e0be5120b6ddd03e6e042444ccba7f62eeeb
SHA512c30d3dfda8fa760ead410c07e968510ae58a4a3b60068b6902b2dcf5af31f03b940af0ae8bb9a9cfa39f055536e0d508fba757ef6f9c3a4706e19555da0d55a8
-
Filesize
13KB
MD5dc78bacee563a2187f0803f9e0626e26
SHA1aef9af80af3065620b76dee6050a699ece3f7b4f
SHA2565c550bf2b2931a7182ae821538adac22f956e64c4e2f205e56224aece8ba68f7
SHA5126e4f175462aa8230697b62b296c9ce45e204fdde59f6f2b0eb93e444d6c3da44970323187432c85969406d25ef58e836ca93057602ff7cccea94640dff6f2f94
-
Filesize
8KB
MD5960d72938c9e5d43e0c625d97e6004a8
SHA1a5c030d5f773e44cb102ab0bfd40d42aa3e432a7
SHA2567d9e45121f095c7f9d5d88321e27548da1e4ad563b15614c00106b200476114a
SHA512d59f992fb4e0403352884077a34ddbaaabdfc88df2f4c3dbdfd012f550fa4643e35c12a488bc34c75f6cbd1d1ffe4a53f48abe7b19154bbd23597215c8a841a5
-
Filesize
8KB
MD553ecfc28a9ba6360533839c407c5130a
SHA167064166c4648d855dcb78c27d3ddede8225e657
SHA256e31e9683225a2a701a5eef525fc0c00bcba0f1314ca46f860bcf7b374be0803c
SHA512b110fac63d0712922ce7c073ac4d483b10186634c7dacd3786e915fca7a44ffe7c12ce559a6069e5a288722d3428000264ce93dbf9c2df52145b8623b1c90fde
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD5b84b898fa53079cb4a4e03c84f813c4f
SHA1504b97a706e06256a5047ceee6a339de7981dc47
SHA256c7233da672e8c47ca4098dbee91ad405e96ab5207e99c4be17954707a1f152e8
SHA512e36dfdf19418c1dcb209b23128485197e9a79c24921505bc422bef5b50224904714ee43df7893b5bcfe1950bea02ea602d69055f315050a7ff4987359ac305d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.7MB
MD5cef48e279a547a6fe0bb8c7955647b42
SHA1ab40a8c863e60cce72af428fd026cbc3fe7a4366
SHA2563a5419fafdf55dc380a193368a69f4c4ef615bc41930448de132407f56ab3df6
SHA51254b4791a1d7c40864a42f2dbe6309e37da8fc9f5475020629ff9cf08da1b163b996e449cb8fd64759ee826e5831e4704fac90f9ee01a27b56044512ae66b51b6