Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 08:39
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240704-en
General
-
Target
file.exe
-
Size
2.4MB
-
MD5
7eac5517949c3ba823c0d05f296bd953
-
SHA1
89d79b84addb51db2bdfeb90c7780dda23fabd2d
-
SHA256
4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
-
SHA512
d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89
-
SSDEEP
49152:81s8BuadFFjSnGgQWYec225D4JnoSIOXEUMF9+wKm1fMkK:2BP9SnGrfeGh+onOXEdf6m1Ek
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
AAAKEBGDAF.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AAAKEBGDAF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exeAAAKEBGDAF.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AAAKEBGDAF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AAAKEBGDAF.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
51f351e8a4.exefile.execmd.exeAAAKEBGDAF.exeexplorti.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 51f351e8a4.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation AAAKEBGDAF.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
AAAKEBGDAF.exeexplorti.exe740151cd52.exe51f351e8a4.exeexplorti.exeexplorti.exepid process 1584 AAAKEBGDAF.exe 668 explorti.exe 3988 740151cd52.exe 2852 51f351e8a4.exe 1912 explorti.exe 4356 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
AAAKEBGDAF.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine AAAKEBGDAF.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
file.exepid process 1244 file.exe 1244 file.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
file.exeAAAKEBGDAF.exeexplorti.exe740151cd52.exeexplorti.exeexplorti.exepid process 1244 file.exe 1244 file.exe 1244 file.exe 1244 file.exe 1244 file.exe 1584 AAAKEBGDAF.exe 668 explorti.exe 3988 740151cd52.exe 1912 explorti.exe 3988 740151cd52.exe 3988 740151cd52.exe 3988 740151cd52.exe 4356 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
AAAKEBGDAF.exedescription ioc process File created C:\Windows\Tasks\explorti.job AAAKEBGDAF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefile.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
file.exeAAAKEBGDAF.exeexplorti.exeexplorti.exeexplorti.exepid process 1244 file.exe 1244 file.exe 1244 file.exe 1244 file.exe 1584 AAAKEBGDAF.exe 1584 AAAKEBGDAF.exe 668 explorti.exe 668 explorti.exe 1912 explorti.exe 1912 explorti.exe 4356 explorti.exe 4356 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4344 firefox.exe Token: SeDebugPrivilege 4344 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
AAAKEBGDAF.exe51f351e8a4.exefirefox.exepid process 1584 AAAKEBGDAF.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 2852 51f351e8a4.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
51f351e8a4.exefirefox.exepid process 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 2852 51f351e8a4.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 4344 firefox.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe 2852 51f351e8a4.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
file.execmd.exe740151cd52.exefirefox.exepid process 1244 file.exe 3080 cmd.exe 3988 740151cd52.exe 4344 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.execmd.exeAAAKEBGDAF.exeexplorti.exe51f351e8a4.exefirefox.exefirefox.exedescription pid process target process PID 1244 wrote to memory of 2324 1244 file.exe cmd.exe PID 1244 wrote to memory of 2324 1244 file.exe cmd.exe PID 1244 wrote to memory of 2324 1244 file.exe cmd.exe PID 1244 wrote to memory of 3080 1244 file.exe cmd.exe PID 1244 wrote to memory of 3080 1244 file.exe cmd.exe PID 1244 wrote to memory of 3080 1244 file.exe cmd.exe PID 2324 wrote to memory of 1584 2324 cmd.exe AAAKEBGDAF.exe PID 2324 wrote to memory of 1584 2324 cmd.exe AAAKEBGDAF.exe PID 2324 wrote to memory of 1584 2324 cmd.exe AAAKEBGDAF.exe PID 1584 wrote to memory of 668 1584 AAAKEBGDAF.exe explorti.exe PID 1584 wrote to memory of 668 1584 AAAKEBGDAF.exe explorti.exe PID 1584 wrote to memory of 668 1584 AAAKEBGDAF.exe explorti.exe PID 668 wrote to memory of 3988 668 explorti.exe 740151cd52.exe PID 668 wrote to memory of 3988 668 explorti.exe 740151cd52.exe PID 668 wrote to memory of 3988 668 explorti.exe 740151cd52.exe PID 668 wrote to memory of 2852 668 explorti.exe 51f351e8a4.exe PID 668 wrote to memory of 2852 668 explorti.exe 51f351e8a4.exe PID 668 wrote to memory of 2852 668 explorti.exe 51f351e8a4.exe PID 2852 wrote to memory of 3768 2852 51f351e8a4.exe firefox.exe PID 2852 wrote to memory of 3768 2852 51f351e8a4.exe firefox.exe PID 3768 wrote to memory of 4344 3768 firefox.exe firefox.exe PID 3768 wrote to memory of 4344 3768 firefox.exe firefox.exe PID 3768 wrote to memory of 4344 3768 firefox.exe firefox.exe PID 3768 wrote to memory of 4344 3768 firefox.exe firefox.exe PID 3768 wrote to memory of 4344 3768 firefox.exe firefox.exe PID 3768 wrote to memory of 4344 3768 firefox.exe firefox.exe PID 3768 wrote to memory of 4344 3768 firefox.exe firefox.exe PID 3768 wrote to memory of 4344 3768 firefox.exe firefox.exe PID 3768 wrote to memory of 4344 3768 firefox.exe firefox.exe PID 3768 wrote to memory of 4344 3768 firefox.exe firefox.exe PID 3768 wrote to memory of 4344 3768 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe PID 4344 wrote to memory of 3404 4344 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe"C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Users\Admin\AppData\Local\Temp\1000006001\740151cd52.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\740151cd52.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\51f351e8a4.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1877f1b6-cef8-44e7-b537-39dfae92fa5a} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" gpu8⤵PID:3404
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e285eda6-b0af-44c8-90e0-5fcbcb38588c} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" socket8⤵PID:2580
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3004 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3200 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d15949a-19d8-42f0-9e57-54d49c3de0fd} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab8⤵PID:2728
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a20676a-bcb6-465b-b806-a49658b5082c} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab8⤵PID:568
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4456 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4480 -prefMapHandle 4476 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {519cd353-bd78-4a92-87c0-941849ba0532} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" utility8⤵
- Checks processor information in registry
PID:3416 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5372 -prefMapHandle 5368 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c217ca8-e76b-48f2-b46c-2eb5a327a292} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab8⤵PID:4864
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d499b134-5184-4997-8a87-0d948a93ca7b} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab8⤵PID:3260
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5724 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b980ff75-0b3a-447e-91f0-0e111494f9a7} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab8⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECGDAAFIIJ.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3080
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1912
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\activity-stream.discovery_stream.json.tmp
Filesize24KB
MD5b4b750504c33d451ed64db4460a3388b
SHA1bf21e4ff1ad04943366b05d63de3f1fc033ff927
SHA256706a12ce0cb7549bc08fcdc4631cb509a02e7b2a39d214213be812746d3451e8
SHA51279681df2735c8f3bc4d0af46b6f633c057a0b2f77c06d7c490b6867f08029ac0da3b58d3fa9dcb69d53a11a2f474be50d7b9007a43cc7e03e779f0a257873e4e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\onffaicf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD569d9030a93349855ed97e4790c7f0330
SHA14d752ba8d52582d2abfd51be00b5c30dfd4bdf9f
SHA25628d34165a6c2e0cda62b676c3b4a8ac7e9a6bbde4cdfb4e44ec23bbd0bb7159c
SHA5124e9fd34eaafdb37e2f83544236717766403bd3a91b61245a22e728f5baf2a13f0fb90c3575cde998dd656a72bec39c77242e12b165488545c85e11d678bb932d
-
Filesize
2.4MB
MD57eac5517949c3ba823c0d05f296bd953
SHA189d79b84addb51db2bdfeb90c7780dda23fabd2d
SHA2564f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01
SHA512d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.9MB
MD52624875da55238f620fa50a01d4bce57
SHA1f955733b1feeb7d7b1a7eefe414c2e33c242df1c
SHA256413b036946af75dba74c98d52cf2a8ac969b6fded5da8a754c56776d5edc0553
SHA5120ebee57fc926ed57309b2aa8eae951ca44e71992999086e92a3b58a7448e2d610f57364b2fdbc5fefe76eb8ea557966be34b072e0f545b6514992008f6cc9159
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\AlternateServices.bin
Filesize12KB
MD52dabc9cda99330ee4a715c656e449b63
SHA1d3ed676ae35419904277e84f347a40651f93c3c7
SHA256f64078cdc3015a7ab38839a64770ad29d22f136e88d2fb5063a15ce8f1b30c56
SHA5123b1e16844be1063e6d24b5a47aa14dceb8ff68c366407dc6b16cd515be95e8c07421cab62f8039b044dbc793d7e847e578e3bdf06df30f0821277fa98996030f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5fdb45746e3fed339c87d8b235a3361a6
SHA18316021f0033fa940a1343ce12e1dacef732d7b0
SHA25634076bf46a3f648e9f3838dc1839ac3e885fe063abdcf19bc228ecdc612df7e9
SHA512e7bec56a12490f9f7be0b2fc6926d222343833a9f576474dee2c0a6a7c2163aca492361fe6dfa5f835cafffceb698c0d74a7f62e5e053e3feaba72e33614b16f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD567c78cc500595b6346820a7e1ee8c7f4
SHA16412b9cc8f0a0ee3f96c7d0d7b507ba8147abf87
SHA256cf71571145ad428847b186a690550af4b1ce16214bf037332a08e776dba293c0
SHA512e74040ac20f238401bb9a04d8daf2a28840c78afd719974af6ad9437381b22d871090ef36a05f04b3893331da5f6176db0d7ee3e03dcf2d9ae865ae261cb3e07
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5db263e03444461aebd511d9426723696
SHA11d73b1736d937344c8a0d65973c27d1ab8259c4e
SHA256e6319ddcc06f792084c6835112ed93b80cc2cb592eb5e4aa601fc3fba2d5557e
SHA512f92d7ef17ce4a1c32e2a362737e33c367ada6e49b82f0e7c18aad3c45a8bf520df85c5b41eaa69c9939ae9f49bfb28866de62b74cbf5d025076d974c919f937b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD524e3a86c2c52c2dd837f1b3c75261d3c
SHA18d0c1cabc760360967109d4a02fd5d1ec4d44020
SHA2566ec8b97ef767061f76821436d6c660545bf68eb4af8beb279166aa5ff5234262
SHA512b84af8afd40ed03ee2bce00fd8dbef6772e8c3107971b46f5f4d08321eab1384cff6cac7c0a5b127f0d1762fe2f3dc962bd7378b654c54d03781543acbb2d7d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\04517223-5cbb-4468-9535-25af3d28d99f
Filesize982B
MD5ad503baf2871ff52eff94d3c2e3f5305
SHA1b457486b50b5ad97dc3043cb9814da4ea99e39aa
SHA2562867f82bf3b0ac9147655e15518f0ad0f790d2aebcc7bd68fc268397644b7994
SHA512048600bad54e5bb1cca84f848c813c0f98a2c88f14cd907482ecebff45f1dddf626c84eb325f994aab681fdea082a9120e1643f9e2062601da2a3bd0900b847f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\8ef0e82f-0529-4c80-bf50-58bae6fc7e05
Filesize27KB
MD5201bf1d257d16b43573b413f65961320
SHA15957a27e14fdffa56fdbda7c1ec0a9b0e85e8659
SHA2561245f4e720b9776bc902ff226aa11138e87f8aceff387eab146a872309f352fb
SHA5126fa859e75068f8fe862b5734678b0942a4c1390234a399679f4a4be31c8685bdf6404c8c8ba5b81d9e5ff5962f409442f2563e877c3144a10b7ede8848c7ab7f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\datareporting\glean\pending_pings\d9406192-1347-43f7-b14c-268cbf19b764
Filesize671B
MD5b81d68ea6915b5ebb67629c4dcccef06
SHA15735d0384ce0b058885331f298b8ffe479e39845
SHA256d9d534367a4f24dedbdc9cd56de8c4775552aed5a7a60df552b3f72ffb800598
SHA512dbdfc3e6f5b0edf59b4ce699f47845d710e013f580babc5ca3ca5a11be5c83e90d599651a61bda934b7fe4c4cb2aafb98555d69b6f6e6b037521829c07fd9239
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
8KB
MD5e0cc8dbbf8d567bdd6b1ab1397d4ec40
SHA12b411f883d30be33be0fc46d13ab4303013672eb
SHA256bbfc0f2831fc5748c06146789e77d97897cbc18867034ac16ed36615a921b148
SHA512f550fd1177e91ff1b54299ff1566ae1d1a94fd470f88bfeef677c60b3514bd75cbc86644264fa1356aa44d9c1f5443abdc695eac45845e0be80f17296f2b6870
-
Filesize
10KB
MD560c3f8a7145ea2c49dd179c45c81f602
SHA113fca5646b6492135c8f2881d544f6580ee344e1
SHA2565cfa99e9d43bb3f081993d6ff9f51be33a45790b26ca040a98f3cab844ad2658
SHA5123da9149c03c23bf9c6f482210cf50f230c2eca0143a184b0b5d57c03c1b8ee94abccfc6b7b13e009194535f7d552e407fc0a36c4bff9f01054c0ea92e0be9840
-
Filesize
13KB
MD5b8a13db198d3fd26aaf73d9221c2e7ed
SHA16315011a92b61e52d2291829b127253bbf1656af
SHA256d08a0c1571e6ac910a0dd5ffe6fb53daabafc527266d821404c50c657ce2a03e
SHA512877c7571fef734396879f1f0852371814f7ba8246a2a24487325e548e033ab7816226c7444dd88d0b116582c00e21fd9dbafc4b35b5876b4a8712f923b03b7b2
-
Filesize
8KB
MD5813ceef970f9409baf8a9223d34d88e9
SHA1f2567d9c869a0a6819d918170eb7b863db571d45
SHA2566dfbee1470e21c2bf6ea5aa96264c199ad4770a7a0037751dd31fd1660048649
SHA5127ed3f7c26d1ea54147cd38fa5b1b628efba07fbc86f6a2b85ac8021bebfa6d7f0578069eed428558e1fb2b9a72ba5dfbd0a69baa7632d1fa980a75e35ac0604d