Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 22:46
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240704-en
General
-
Target
file.exe
-
Size
2.3MB
-
MD5
e43a0ac327404f3008b679e0b1293c6b
-
SHA1
9a2461c520ccc44840c1bd041467ce084dadab51
-
SHA256
783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913
-
SHA512
804d187c5b62ada2a6d9ad922ce7042c66a0e2110b2cac7c223fcf37b0af3e514bdf37d08eac83972c21968833cd563bc3eb6099ed95df01e45039078b36d58d
-
SSDEEP
49152:LkYIJsBoDjEdjeXiaTwfqvASVk9yTYn8C4S5gioYgwm:NZj5aqq9ay+NpE
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeexplorti.exeFIIEHJDBKJ.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FIIEHJDBKJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeFIIEHJDBKJ.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FIIEHJDBKJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FIIEHJDBKJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorti.exe4b28da5af2.exefile.execmd.exeFIIEHJDBKJ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 4b28da5af2.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation FIIEHJDBKJ.exe -
Executes dropped EXE 6 IoCs
Processes:
FIIEHJDBKJ.exeexplorti.exea3620829e2.exe4b28da5af2.exeexplorti.exeexplorti.exepid process 4656 FIIEHJDBKJ.exe 1336 explorti.exe 2904 a3620829e2.exe 1664 4b28da5af2.exe 436 explorti.exe 4368 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
FIIEHJDBKJ.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine FIIEHJDBKJ.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
file.exepid process 1008 file.exe 1008 file.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
file.exeFIIEHJDBKJ.exeexplorti.exea3620829e2.exeexplorti.exeexplorti.exepid process 1008 file.exe 1008 file.exe 4656 FIIEHJDBKJ.exe 1336 explorti.exe 2904 a3620829e2.exe 436 explorti.exe 4368 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
FIIEHJDBKJ.exedescription ioc process File created C:\Windows\Tasks\explorti.job FIIEHJDBKJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
file.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
file.exeFIIEHJDBKJ.exeexplorti.exeexplorti.exeexplorti.exepid process 1008 file.exe 1008 file.exe 1008 file.exe 1008 file.exe 4656 FIIEHJDBKJ.exe 4656 FIIEHJDBKJ.exe 1336 explorti.exe 1336 explorti.exe 436 explorti.exe 436 explorti.exe 4368 explorti.exe 4368 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1360 firefox.exe Token: SeDebugPrivilege 1360 firefox.exe Token: SeDebugPrivilege 1360 firefox.exe Token: SeDebugPrivilege 1360 firefox.exe Token: SeDebugPrivilege 1360 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
FIIEHJDBKJ.exe4b28da5af2.exefirefox.exepid process 4656 FIIEHJDBKJ.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
4b28da5af2.exefirefox.exepid process 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe 1664 4b28da5af2.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
file.execmd.exea3620829e2.exefirefox.exepid process 1008 file.exe 3744 cmd.exe 2904 a3620829e2.exe 1360 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.execmd.exeFIIEHJDBKJ.exeexplorti.exe4b28da5af2.exefirefox.exefirefox.exedescription pid process target process PID 1008 wrote to memory of 1588 1008 file.exe cmd.exe PID 1008 wrote to memory of 1588 1008 file.exe cmd.exe PID 1008 wrote to memory of 1588 1008 file.exe cmd.exe PID 1008 wrote to memory of 3744 1008 file.exe cmd.exe PID 1008 wrote to memory of 3744 1008 file.exe cmd.exe PID 1008 wrote to memory of 3744 1008 file.exe cmd.exe PID 1588 wrote to memory of 4656 1588 cmd.exe FIIEHJDBKJ.exe PID 1588 wrote to memory of 4656 1588 cmd.exe FIIEHJDBKJ.exe PID 1588 wrote to memory of 4656 1588 cmd.exe FIIEHJDBKJ.exe PID 4656 wrote to memory of 1336 4656 FIIEHJDBKJ.exe explorti.exe PID 4656 wrote to memory of 1336 4656 FIIEHJDBKJ.exe explorti.exe PID 4656 wrote to memory of 1336 4656 FIIEHJDBKJ.exe explorti.exe PID 1336 wrote to memory of 2904 1336 explorti.exe a3620829e2.exe PID 1336 wrote to memory of 2904 1336 explorti.exe a3620829e2.exe PID 1336 wrote to memory of 2904 1336 explorti.exe a3620829e2.exe PID 1336 wrote to memory of 1664 1336 explorti.exe 4b28da5af2.exe PID 1336 wrote to memory of 1664 1336 explorti.exe 4b28da5af2.exe PID 1336 wrote to memory of 1664 1336 explorti.exe 4b28da5af2.exe PID 1664 wrote to memory of 3960 1664 4b28da5af2.exe firefox.exe PID 1664 wrote to memory of 3960 1664 4b28da5af2.exe firefox.exe PID 3960 wrote to memory of 1360 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 1360 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 1360 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 1360 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 1360 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 1360 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 1360 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 1360 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 1360 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 1360 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 1360 3960 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4856 1360 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe"C:\Users\Admin\AppData\Local\Temp\FIIEHJDBKJ.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\1000006001\a3620829e2.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\a3620829e2.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\4b28da5af2.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1582112-41b1-4f79-ac42-3cb3436c515d} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" gpu8⤵PID:4856
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63f11193-ee98-4f65-85f0-065ba72bfcc6} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" socket8⤵PID:3920
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3092 -childID 1 -isForBrowser -prefsHandle 1432 -prefMapHandle 2812 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2510895b-be24-4cd1-90fd-4e2fe10d8c5f} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" tab8⤵PID:4988
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3908 -childID 2 -isForBrowser -prefsHandle 3872 -prefMapHandle 3868 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70201111-5195-4c49-beea-1abe9420e69c} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" tab8⤵PID:636
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4628 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4620 -prefMapHandle 4616 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9caec85d-d1cc-4e36-9530-f4442ceab21b} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" utility8⤵
- Checks processor information in registry
PID:3856 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 5524 -prefMapHandle 5520 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67c12ae4-7f47-4f8d-ae3c-ddcc75457c55} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" tab8⤵PID:3224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 4 -isForBrowser -prefsHandle 5708 -prefMapHandle 5704 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c9b75a7-a07c-4c78-a2f6-21bb79711e56} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" tab8⤵PID:2512
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bfca1b0-c215-479e-b8ff-8982258b2df7} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" tab8⤵PID:4772
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKKKFBGDHJ.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3744
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:436
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5d503f9a7e370491f25f26f25f326e7c0
SHA18be7f1650779a5d2cd4288dacad75498239a5f8e
SHA2564b1b431b2ef840e9702fd06d8afb47b51eaa352f329b8bc4657c3e432fc78242
SHA51265e16f1e9d36fc6ef0fe6f2c80cc812064d58716a201777ceb37a3696ac5b7201c74969e3500c5ce2da19d59f23c18d1e3a0819c2465472269c4d0b20468ba16
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5d6c3326716b6fbfb4fa90b717210df29
SHA1bcc7271d603c9319c353bb8479121d81b3184734
SHA256220b2c4b58ca16b347e1f3401ec189a1f90f8431724ad2f9e7dd9450e444f2ae
SHA512ea3eb814c82291cf9e03879587d333b7ad673c574460c1be01e23b3ac9682f23b27dee824c8e83465b32cc2eb4074260b4566cebf847bd4e16a180c887c98416
-
Filesize
2.3MB
MD5e43a0ac327404f3008b679e0b1293c6b
SHA19a2461c520ccc44840c1bd041467ce084dadab51
SHA256783022b9c596ebec7986ba52f6002f90448b9ded95755391d4bf27d52702f913
SHA512804d187c5b62ada2a6d9ad922ce7042c66a0e2110b2cac7c223fcf37b0af3e514bdf37d08eac83972c21968833cd563bc3eb6099ed95df01e45039078b36d58d
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD58c6765fe39a0cf9b8c2ed1fb8649be1c
SHA11308a16f47a014b4fe35573d944f69629fbc1255
SHA256d86542ecb698baa2d2f530413ece779db99e2ee51ec09af248b33be214334ed0
SHA512c418c281aba4c5e7c5f58a453b7dac2e42b154572b71ff5ebb1ffd25d94d2d67302a52fdd10786dddeab204bac7f09e27e95d5f8d9f7fe4383ccd630b1948e87
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin
Filesize12KB
MD5461e7d80dfa1cd698fd40b82ea12c68f
SHA166ce5c32b2f65b4aaa7cb0969d84162b73202e3f
SHA25699dd8c481c4c590ac87568b48a81c85b5b6caefae7ed67ac4e6b0b8ff7153b35
SHA512188f40bb5c3172bff8db9304e9d64cf247661ef0b05eb70e0734d04dc2609403cfde21416577fd2839122ddd26927bf58ae943762fabf4329e38d6b1abd3a530
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize35KB
MD5afd316813c823a03cf045a06b1f3eb63
SHA18a13fe4501cee41e1fca5f1a5aa1b91a5d470965
SHA2561fffbaa839cb8f63f17f15390fe28d4ccacb97c296f974e5cdc7a462b664c083
SHA5120544fb522188fa8c13b04c87bf5180bd5db7acfe3fe020f520753cbcbc7973f8fde77b95072746614896c76a938488b6473218a8b1847e0e276c1d93f5c3aac0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD524a481b7e240f82e51c4b6647a28d9da
SHA1834f07d8145c7d0442af5d884417309c701c67af
SHA256b0ab139684c19d0fb32202802d1741edad30bc82c6ff60a72575967e55c38f1c
SHA512e385e030f3a46dfbffbdc128ae42ebcf9f19e4eaea687d27da07bc77c12766514eedf63bf49e0027872a82b7ae8bee7cad88551f10ebc09f6f6827818ce94154
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD535208189a9b062be93ccd4d7bae6abc4
SHA1f7a333debde00e09803f76c5a2c5568785993e08
SHA256b908817d7983ec899378eff9a426225bad15ea4aae3aa421f6f30fe74baec8a2
SHA5126615136c8673cc167903425ad14876d2d1fe477f3a528751398fb3172939e90a2d150bfac05564be0d161dd0c52a5fec72a86a6c0d4766e3ea8cc1b6c66c93d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD54ecf653eb5cc309e3a0ef4dfc389ada5
SHA1e73169a808ae5cb422f6e4ce2461fc65afa3e489
SHA25669825c21c1e81524eb47809ceb6ca341df84c264bb6793f6b77dae9f77a81622
SHA512b0291b574a3b53ca67622519e432205e1ce3434f59bba741fa23d8e9a0aa9c3e6da962247128aebf298dc9f031a246f4bec9207430a7bfbac1b34723a2327925
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\1422b79a-8b85-404e-a11a-9af1eaa85398
Filesize659B
MD5b0201bd8160eb33b5e8394c618ffe9aa
SHA1a3e14ee321266e451d59a37a8fcc1cd65b5fdd6c
SHA25694f1dae2ee3171b9728e6b6ae865be19746681eea7b2cf2939a961b0991d293b
SHA5122ff3c03286267f9fb3a1b84ded03410df4364a049e9ac3a6872ce1367d4e81fb084d02c60c3384b3ea6bdb2d1e5e7ace493846a64bf5d06dea58dfe83d269525
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\2d174ab2-173d-4e70-804a-41f4cc4f59ea
Filesize982B
MD507027d496e867c2f1cf9b08d48a923c0
SHA1b2249f48d5057f281210d208a926934c425d7ae9
SHA2564940ccd9dad7716989ab44ff7a30e8675a9db60205964b3f20aaa376526682e2
SHA512590a2d38b14075d33e2b786a7dd0892d1a9549b93424777b333c9cf5b4f7277f680a06445078cd5ee8f61fb42c0e375ab52893edf02b4f7dedd9a3b5985325fa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD5fc3d373bdfae834bf32f879013f23b54
SHA10704215fff7bb7a358ebeb7a3ada3ff2966c9d2d
SHA2562ab9cf8049e58f0a389a14b66aa1bdfde857e009fa2925a30c725890ce52d1e1
SHA51231fffe0dddb090b191021081dd09e61563df916252c4f1d45c546e444c5c2e0f1ad75b34a19df9306349d583cdef6f6fbc8b78b890457587ceb5986e828c4dde
-
Filesize
8KB
MD5a9cec187d2c5ad25ca8ffed106a488cb
SHA1a3220ef64a5996e5f82c657950502ebebcdafb72
SHA256eaa6094b803b75b78a262853affd1f96e43408724c791f5245945e4e24939543
SHA5124d375e95d53b46dcbc1ac48e870dc5a9379ac23a888e7a23bdd4e116194ab67a4dd60fe3fec0b78603087f830631d442425276bd84c69eab1ce2ddd5ec1812a2
-
Filesize
8KB
MD556ee8d7842ce43902b42f8d653391e81
SHA122ac0d06085115f869ce4b1fd518061d4edad877
SHA25642cef8cb548278f03bb4a2490853dcc040c528d5920b17f97923dfe4d0919b1a
SHA512009e71ee3311f2d970c362b24477f43e34169d7e9dcf7cb73f489ca222211166af0844ddfcd4136c0426816c6ea49076e60e95c6760f51ff6d9f9a93da20d99f
-
Filesize
9KB
MD56aa7fe4b1f24488e5dbc5de45157e8cb
SHA198c325d0a7a4a3c1e452350fe5601fcfe81764e4
SHA256981c6f4ee91ccef860ba3c8aa1e3ec5e6ce6cd9c10587ddf9e7debba56d63a22
SHA5126bbab2da66a49e66cc4032ee2a22541db134b751acad1c9267d3b520818c039d35db0223b04322008f529d1f443cacb6f5d62ae045e40f391d850c7ed8746cbc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.7MB
MD50185b20ed1cc6ded132a0aacdff6e86d
SHA1df519aa070aaf20ac7c5f9146e47451e4a26a874
SHA2569f4b39086adcd77f1d4b59ae07a510c23080c495fcebf19e9157be7aba1d6ac5
SHA5129bfe9698a47914aea081a2126672b6fdd0f95dfbbd33316592417baf90e160f5d1bc2947501a603ac6a4c429fde48d424300e2d9de9ae182e68fb1cc8b99826d