Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-07-2024 23:25
Static task
static1
Behavioral task
behavioral1
Sample
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe
Resource
win10v2004-20240709-en
General
-
Target
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe
-
Size
2.4MB
-
MD5
1552573045f153aa7269a30d3a1dd151
-
SHA1
d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
-
SHA256
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
-
SHA512
8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460
-
SSDEEP
49152:fUJ0tlSm5vh9dwM4tYensXVh9uZl3Rh7LRCFIg6EWkJeectmfdF:M2VR4t/sFbgdRh7CWeeeww
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
CAFIEBKKJJ.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CAFIEBKKJJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeCAFIEBKKJJ.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CAFIEBKKJJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CAFIEBKKJJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
CAFIEBKKJJ.exeexplorti.exee1010ef8e3.exe6728fd7bd0.exeexplorti.exeexplorti.exepid process 1592 CAFIEBKKJJ.exe 4296 explorti.exe 3360 e1010ef8e3.exe 4980 6728fd7bd0.exe 2788 explorti.exe 4572 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exeCAFIEBKKJJ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Wine CAFIEBKKJJ.exe -
Loads dropped DLL 2 IoCs
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exepid process 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exeCAFIEBKKJJ.exeexplorti.exee1010ef8e3.exeexplorti.exeexplorti.exepid process 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 1592 CAFIEBKKJJ.exe 4296 explorti.exe 3360 e1010ef8e3.exe 2788 explorti.exe 4572 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
CAFIEBKKJJ.exedescription ioc process File created C:\Windows\Tasks\explorti.job CAFIEBKKJJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exeCAFIEBKKJJ.exeexplorti.exeexplorti.exeexplorti.exepid process 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 1592 CAFIEBKKJJ.exe 1592 CAFIEBKKJJ.exe 4296 explorti.exe 4296 explorti.exe 2788 explorti.exe 2788 explorti.exe 4572 explorti.exe 4572 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4592 firefox.exe Token: SeDebugPrivilege 4592 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
CAFIEBKKJJ.exe6728fd7bd0.exefirefox.exepid process 1592 CAFIEBKKJJ.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
6728fd7bd0.exepid process 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe 4980 6728fd7bd0.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.execmd.exee1010ef8e3.exefirefox.exepid process 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe 3752 cmd.exe 3360 e1010ef8e3.exe 4592 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.execmd.exeCAFIEBKKJJ.exeexplorti.exe6728fd7bd0.exefirefox.exefirefox.exedescription pid process target process PID 4548 wrote to memory of 2484 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 4548 wrote to memory of 2484 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 4548 wrote to memory of 2484 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 4548 wrote to memory of 3752 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 4548 wrote to memory of 3752 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 4548 wrote to memory of 3752 4548 d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe cmd.exe PID 2484 wrote to memory of 1592 2484 cmd.exe CAFIEBKKJJ.exe PID 2484 wrote to memory of 1592 2484 cmd.exe CAFIEBKKJJ.exe PID 2484 wrote to memory of 1592 2484 cmd.exe CAFIEBKKJJ.exe PID 1592 wrote to memory of 4296 1592 CAFIEBKKJJ.exe explorti.exe PID 1592 wrote to memory of 4296 1592 CAFIEBKKJJ.exe explorti.exe PID 1592 wrote to memory of 4296 1592 CAFIEBKKJJ.exe explorti.exe PID 4296 wrote to memory of 3360 4296 explorti.exe e1010ef8e3.exe PID 4296 wrote to memory of 3360 4296 explorti.exe e1010ef8e3.exe PID 4296 wrote to memory of 3360 4296 explorti.exe e1010ef8e3.exe PID 4296 wrote to memory of 4980 4296 explorti.exe 6728fd7bd0.exe PID 4296 wrote to memory of 4980 4296 explorti.exe 6728fd7bd0.exe PID 4296 wrote to memory of 4980 4296 explorti.exe 6728fd7bd0.exe PID 4980 wrote to memory of 3260 4980 6728fd7bd0.exe firefox.exe PID 4980 wrote to memory of 3260 4980 6728fd7bd0.exe firefox.exe PID 3260 wrote to memory of 4592 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 4592 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 4592 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 4592 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 4592 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 4592 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 4592 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 4592 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 4592 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 4592 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 4592 3260 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe PID 4592 wrote to memory of 1852 4592 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe"C:\Users\Admin\AppData\Local\Temp\d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe"C:\Users\Admin\AppData\Local\Temp\CAFIEBKKJJ.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\e1010ef8e3.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\6728fd7bd0.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c36b5872-0d16-4b17-ab73-5d32f5117053} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" gpu8⤵PID:1852
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31311789-1ae4-44ff-bfa0-4b5e2ceff67e} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" socket8⤵PID:1528
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3332 -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 2936 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3d13f01-cfb8-49b7-b761-1dbe0ed19868} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab8⤵PID:2000
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3784 -childID 2 -isForBrowser -prefsHandle 3780 -prefMapHandle 3776 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f63ee51-6904-4da3-b519-35031dc27ab9} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab8⤵PID:3448
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4836 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4824 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cde677d-f03b-4235-bcf7-9d7cd8d5fdba} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" utility8⤵
- Checks processor information in registry
PID:2332 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 3 -isForBrowser -prefsHandle 5508 -prefMapHandle 5520 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2daead61-4b99-445e-bea6-e8f52b07ed24} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab8⤵PID:776
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 4 -isForBrowser -prefsHandle 5660 -prefMapHandle 5668 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d42d340-722c-4a5a-888e-05fbe4a2c9c1} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab8⤵PID:1532
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5952 -childID 5 -isForBrowser -prefsHandle 5852 -prefMapHandle 5860 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7edefeb9-a870-4756-b4dd-b2edc82e3e04} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab8⤵PID:1292
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JEHIJJKEGH.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:3752
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2788
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD52f117db5b20f8f31cb7a0e7e2cf00fd3
SHA17f8bdd370ee9c819f9267c59d7c161042cd869cf
SHA2566536839200468d165395d792be97321cff7f3c1e465384f6557ac45cb8bbf082
SHA51292f7c2aad9af839744004fb3c2a9ed7a12ea63b5102136f81dd61328b6b3c19900d1bb1a142fcdeeb14dfc29daf58b2c8777958a4bb510639add014f6a72c1ca
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD51daa8022960299febb443e4570a7469e
SHA1620ea1345135ffdb8af3a9076dbf266f8fe902ac
SHA256f3e984b1519bf4852d8bdec45efede20f745ab08f1ac44f1feef900710d4b48c
SHA5121b820742362eda8ad335d50edac9e39c1646fa1eea8e38729137c4f65e5046f8c8efec6198340ae2877df6c9e8a3ae6cb1c061a33c3d07ae4f8959a42a2963c2
-
Filesize
2.4MB
MD51552573045f153aa7269a30d3a1dd151
SHA1d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23
SHA256d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d
SHA5128301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD5e8dd22ee36d1c52d657cf17d1cb7d3ef
SHA1173c7859c41f254327d08351f17569b2ee6b9e00
SHA25660204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16
SHA51237636a17778b5bf2d531e20f05601541e6ac4a4e0e973149bd2e4fb08324077dfbab5c1c848b81895f2e657113c5290604ffe6c59e783a3c443827a53e837fd9
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\AlternateServices.bin
Filesize12KB
MD5250e5ed20cc3e4744815f64a2aac327d
SHA1f40e563edc8dc8e6a0d28bf10aa4431635c6282c
SHA256350d40ca541373058c545d89ecef86e8c414f1fc552a8b4702c8a9ead3a19d95
SHA51209347c561c899f98d09b6f14a0fc4774169f2795b9cc24b994527ced371e81f62d72031cd5670318b7d5d22629088b5a73eb5ead874b2d2e198271527b7fbbce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD52e456b96a6b1e992088e2d77b97d357d
SHA1f3b86a320ed3c167e6f3d09ed2fb0dec0de31c78
SHA256547e79a211099a5e3bcd5fa64abec99b54f1df09e649df4321da5c05ec49f9df
SHA512dfacd25e688d5cd6417442e6647afbb9b1ae36e7b02db19594d8028141aee703a568faf2feee36e7a51202c047183ef8752f969b917bc84d8233a4033f2b02b5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD52b15342cfe3bb0b5a4292b52974aaff7
SHA17dde7717582e9c89a2d65a9e71230ee8676d2265
SHA25616c70ac1ef1cd222a605eeca30cac8c409b3a572e3700b00e616a42eafa357e4
SHA51277c280578180f840f75b6db57b650157ac1d3198395bf10eb36a9deb55f669dcb2157cdfc0798e1efc3aa4a1de39ceab6cdb81f6121c31753fe1e6377e296aa8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD509cb12da02ef09b5be3527b057a76f0f
SHA106d945b372747c0296f07a67ddcf70b8d47aa4b4
SHA256532a358f94e8e69272618a94a5694f67b2d2e163c054675ee6bde5648813c533
SHA512bbc6fc4f1186f7d2d1905f9071d6900b36e27a625538d55a81bcddb4015dce6bae7d5cf0884e55be439bd95316c31cdfc8b62357a7898aa061a880e288cfb9be
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD55c4f616010e53fb3c0395f28af6c17f7
SHA1da19a651e42859f43885b225b236ddd98a0c2eff
SHA2565ea109fcdeb65d11c7c52db9f01b46c86abd4792ed242812f3b5a9444dd222d2
SHA512a35ff5b47fa13d5c84392942d4d630cbd68bf06c4bca236fca44ecc6d42a88b46e58d3b55d684b728b5be9def1dabb0c7b7c9a3386cb40896e18911fa53118ef
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\pending_pings\54ec251d-9a5c-4db9-bade-d60737f7ae1b
Filesize982B
MD548dba7139c7e20c523f81a5ced480c92
SHA1d8381ea14706541d7c1bd646f06bb635eb5cc357
SHA2560752fe05ca714a537e348f538f8bb9798382c5961818d4e47ee22be109e52727
SHA512ae47e2c9ff0342f8e1c4fb8250f462423659889617c054e130f71bffa4daeb341b483ac4bb51a3e363a77e998c5e52054f80bebe0af428bcb186b116efe88be9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\datareporting\glean\pending_pings\ee064bb9-0aea-4c3e-ab5f-75a3d6a7e26f
Filesize659B
MD5bc6afd82b23f1b6ab2fff19b0dc836f8
SHA1e725d97be1a532e74d76a1e17d3a6a7f5efe1e67
SHA25602e64616ae6cda3248c877dc9351c96c79249414e58fa24b073624a6c2fa9981
SHA51220cc52ae39424d04bc89da99a8f8308e04212ce8f8f6d9bdca80dee2a6cbdd7963358930bdd3e06b323e507180550b17b3b5b2cd07c2abe13f53b49e683f3fb5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\b0ht3gr0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5ec48ba701b0960bea88686940e649d1e
SHA1fb519afd11f2da2882cb28429dd43eb55d81fa64
SHA256441d7c5eb514d3e7528eb38e86da08c3822c99d001959670aa716e72c055f923
SHA512dc1e69ec02e0383ef78cad7387d9f3d6852c0a4a10a87f20a2574244b7d1415b35df97800d99e449dd141f43ef06e49028af2b75b3b20136a02e476d376eee8e
-
Filesize
8KB
MD54508ab2b509f443a75f9acab5965516c
SHA1513ff0ea3b7d1ff7457231b948dd929306a5ad2a
SHA256d1bdd79c352e1c9a33312d4cab63a28ff3610d4b135648f49253c9e130662dd9
SHA51280f0d4556e9774d5fc0d8a77960ff406e32c67df7ada67c84bb3a1d80915f77cb150d89369a013ea260aee127109ce4fad8a9d77cf8b37494ac2001edcd45a50
-
Filesize
13KB
MD55607cde920a155bd08af6e5dc1e6a554
SHA197532c82e9fcbab2f26eb62693e52e0cea119d34
SHA256b5d1cbc312968f749aaa9186f327ea12b60e3792882a5ef4160cb240e29594ef
SHA5125de14e2da6ed04e675560f8bda012b247f37c7f5ab1abcf137db83298b47853d166006e7aa482f2c910bb430fa87a16f03aecd0d41d3717b0e7ddeb840826c94
-
Filesize
8KB
MD5be7c007286a465516abb13401d580d09
SHA12920d23d42de16f4d1bd59dc0c91f96428a544b8
SHA256ed80ec0e37fa418cca6892d58d1108e99ee7572f3c05aa9d5a769d3a2bf6dffb
SHA512dc662227fc0b012f5a5c887e90c43a559a3c693523ebc14c208b5f2c31ac0f726c7aeb2d3b5ed163d564b687443022d5e5453844efd3eff198e8adf784841ac3
-
Filesize
8KB
MD5e88e4160b98c617df2efcabf898e8869
SHA1a1398cdb44c47310fbf096432221e2532cb19494
SHA25649e52f5785f3ef57966cf302e1e84f7aff36727c859072d9f91a02c6306b2b60
SHA5123ae4138b04963e32dd367b609c8aa12a19dcfefe7741c1b385200cf15cf0588f3d73e1821cf56e0c5bb9ac2ee177ff761dd8c892283eb9f3dae166f576fff1db