Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 11:31
Static task
static1
Behavioral task
behavioral1
Sample
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe
Resource
win10v2004-20240704-en
General
-
Target
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe
-
Size
2.4MB
-
MD5
20fe4b16d13a547a5d7f4dbf543b595a
-
SHA1
3c59aca1c693efb9923f04c312fdcd47388d24eb
-
SHA256
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
-
SHA512
c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e
-
SSDEEP
49152:/rgHud6Pbzi1SlyXODTWdvT5un9ep9mwaCx6Iu7BBk:/uuwPHMSlyeWQw/a06ZB
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
DAKFIDHDGI.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DAKFIDHDGI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeDAKFIDHDGI.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DAKFIDHDGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DAKFIDHDGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.execmd.exeDAKFIDHDGI.exeexplorti.exeb7a53f7bd1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation DAKFIDHDGI.exe Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation b7a53f7bd1.exe -
Executes dropped EXE 6 IoCs
Processes:
DAKFIDHDGI.exeexplorti.exef4f9886d53.exeb7a53f7bd1.exeexplorti.exeexplorti.exepid process 4784 DAKFIDHDGI.exe 4268 explorti.exe 2796 f4f9886d53.exe 3228 b7a53f7bd1.exe 1268 explorti.exe 3900 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
DAKFIDHDGI.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine DAKFIDHDGI.exe Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exepid process 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\b7a53f7bd1.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exeDAKFIDHDGI.exeexplorti.exef4f9886d53.exeexplorti.exeexplorti.exepid process 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 4784 DAKFIDHDGI.exe 4268 explorti.exe 2796 f4f9886d53.exe 1268 explorti.exe 3900 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
DAKFIDHDGI.exedescription ioc process File created C:\Windows\Tasks\explorti.job DAKFIDHDGI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exe9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exeDAKFIDHDGI.exeexplorti.exeexplorti.exeexplorti.exepid process 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 4784 DAKFIDHDGI.exe 4784 DAKFIDHDGI.exe 4268 explorti.exe 4268 explorti.exe 1268 explorti.exe 1268 explorti.exe 3900 explorti.exe 3900 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 2380 firefox.exe Token: SeDebugPrivilege 2380 firefox.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
DAKFIDHDGI.exefirefox.exepid process 4784 DAKFIDHDGI.exe 2380 firefox.exe 2380 firefox.exe 2380 firefox.exe 2380 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 2380 firefox.exe 2380 firefox.exe 2380 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.execmd.exef4f9886d53.exefirefox.exepid process 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe 4164 cmd.exe 2796 f4f9886d53.exe 2380 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.execmd.exeDAKFIDHDGI.exeexplorti.exefirefox.exefirefox.exedescription pid process target process PID 4960 wrote to memory of 2544 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 4960 wrote to memory of 2544 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 4960 wrote to memory of 2544 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 4960 wrote to memory of 4164 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 4960 wrote to memory of 4164 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 4960 wrote to memory of 4164 4960 9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe cmd.exe PID 2544 wrote to memory of 4784 2544 cmd.exe DAKFIDHDGI.exe PID 2544 wrote to memory of 4784 2544 cmd.exe DAKFIDHDGI.exe PID 2544 wrote to memory of 4784 2544 cmd.exe DAKFIDHDGI.exe PID 4784 wrote to memory of 4268 4784 DAKFIDHDGI.exe explorti.exe PID 4784 wrote to memory of 4268 4784 DAKFIDHDGI.exe explorti.exe PID 4784 wrote to memory of 4268 4784 DAKFIDHDGI.exe explorti.exe PID 4268 wrote to memory of 2796 4268 explorti.exe f4f9886d53.exe PID 4268 wrote to memory of 2796 4268 explorti.exe f4f9886d53.exe PID 4268 wrote to memory of 2796 4268 explorti.exe f4f9886d53.exe PID 4268 wrote to memory of 3228 4268 explorti.exe b7a53f7bd1.exe PID 4268 wrote to memory of 3228 4268 explorti.exe b7a53f7bd1.exe PID 4268 wrote to memory of 3228 4268 explorti.exe b7a53f7bd1.exe PID 3996 wrote to memory of 2380 3996 firefox.exe firefox.exe PID 3996 wrote to memory of 2380 3996 firefox.exe firefox.exe PID 3996 wrote to memory of 2380 3996 firefox.exe firefox.exe PID 3996 wrote to memory of 2380 3996 firefox.exe firefox.exe PID 3996 wrote to memory of 2380 3996 firefox.exe firefox.exe PID 3996 wrote to memory of 2380 3996 firefox.exe firefox.exe PID 3996 wrote to memory of 2380 3996 firefox.exe firefox.exe PID 3996 wrote to memory of 2380 3996 firefox.exe firefox.exe PID 3996 wrote to memory of 2380 3996 firefox.exe firefox.exe PID 3996 wrote to memory of 2380 3996 firefox.exe firefox.exe PID 3996 wrote to memory of 2380 3996 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe PID 2380 wrote to memory of 532 2380 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe"C:\Users\Admin\AppData\Local\Temp\9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe"C:\Users\Admin\AppData\Local\Temp\DAKFIDHDGI.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\1000006001\f4f9886d53.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\f4f9886d53.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\1000010001\b7a53f7bd1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\b7a53f7bd1.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:3228 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.0.541825479\877364806" -parentBuildID 20230214051806 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8ff3cc8-92fa-4210-a4a9-48c1feae9ca3} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 1916 2c0f8a0dd58 gpu8⤵PID:532
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.1.1947422746\428782767" -parentBuildID 20230214051806 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2dd696d-1dce-4ec3-8054-9e10446dbfff} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 2488 2c0ebc8a258 socket8⤵PID:3792
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.2.1584513867\1437349980" -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3252 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96f3b7c2-2b51-4d56-ba37-478064e8941c} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3328 2c0fb345858 tab8⤵PID:4188
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.3.179733119\730169197" -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a3a97f5-5aaa-4840-ae13-4d19a43da483} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3148 2c0fd642c58 tab8⤵PID:4064
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.4.1776923757\1797230845" -childID 3 -isForBrowser -prefsHandle 5220 -prefMapHandle 5360 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b23a66ff-c273-4800-998d-bc4614c5239f} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5384 2c0ff539458 tab8⤵PID:2116
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.5.1875677492\623806062" -childID 4 -isForBrowser -prefsHandle 5376 -prefMapHandle 5340 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {557311bc-5ecd-46f2-83e0-d851cec296f3} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5604 2c0ff53a058 tab8⤵PID:4212
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.6.688010373\887647161" -childID 5 -isForBrowser -prefsHandle 5756 -prefMapHandle 5752 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 980 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ade97585-d101-4c48-875a-d1741bd7b3e9} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5764 2c0ff53bb58 tab8⤵PID:4960
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECAEGHIJEH.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4164
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1268
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5ce0c457dc80de85714adc15046e939c6
SHA1a6db1dac12ef091a094d3b1f5db2b73d3050b4ba
SHA2566578f4e4ba5dff5d2c1ec198176548c784ddf5aae1af22fc892df15c777126c8
SHA512b65f99fa58e89909158933d435fdd099868a5390a3918fdbc713d11af7d7dc6500f5a732b01d2e353fcda567b94301cb202d6aadd5ac06d36b8d0028d1d1a457
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD5f22e74b68589141faa7e57fb93137208
SHA15dc69ed75f6db48424b6860dc9c5a6ca43154398
SHA256857175863d2332e4eec8a37847ebccbba349613ef0695d3d577a57bdf8a9dfd7
SHA5122ffc19d03b0a7f7f7b8c022974c5b2ea23cf62dc81ad15024f10c4e8f2298282234ad8c14433475f2a05a929ad81cde71f496ca3e936344c879dbe525659e160
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD55e8d381767ed2e499966a65d14cb6543
SHA1113e968d1383718435559436d5914c8a740b35f0
SHA256cac4dcc7105f17f0563141baa9b5fa120ec2129915a008bd13143aca0813664d
SHA512cce89a0773b328e3b8e16b953b986dcebebdef86ff61d67244ac0b4bb62ae42a3f453e6944aeac66ebe3d37a4471df556e21a34ac7a9a222d220dafe3f449e1a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q38sqp1f.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize9KB
MD5aa74c13cac6036d610e3b8e310373626
SHA1da8e5c905dc2f3739a1f656970280196d2874fe5
SHA256daa90e28994069c0e4238bb8694840fa23b8dcf1d112098b3a94f2165e89937e
SHA512690bda1b42b955c4c5f287a40682a5b2de56707175845e73116f3247af6384bea1be25dfd882543eec573a050d41cc82f5a5642ad67fe5dfed45789453cb7bc8
-
Filesize
2.4MB
MD520fe4b16d13a547a5d7f4dbf543b595a
SHA13c59aca1c693efb9923f04c312fdcd47388d24eb
SHA2569be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.8MB
MD5b0abfe65f6de9238e3b03b6d5e115706
SHA1217ab85c40c8b968fd5193eaba20b841bb09e891
SHA25664d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
SHA51287b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
10KB
MD5b361ed769abb5d459963d8ed98b3036d
SHA13fefdac0e72834dede5a0c2a1039812d0cdfe457
SHA25688427c58429dd8c595813df470c5175bfffd699dff2fddc2569dc10a9b2b4f77
SHA512e463d502e14be301aedd99bd8cc55c06a5922677fb9776754f417bd3a84d9b3cf9330d701da47938c30c1710bd67d2f7595a079990f7808ae3a9935539bb080a
-
Filesize
7KB
MD586f7d5cb5cb7a2666b52057b8d22faf4
SHA1379584d0e3c76d6657d89dc95206581a35e3c812
SHA256a90cce99dc581ea2aab0493adcae1f0f428811dc5f522ba14caba4ac95430c95
SHA51240f4c59fda80c5edd3cbde1899a6bfeb8bbf28234238c0234b7191ad4532ca47d17cc0542a359463dfe387c761a55b212ddfedcc58449fd9ab5a6f295b0e5dcf
-
Filesize
6KB
MD5a916eca6b7a760893153ae63c5c7e7c3
SHA18e36ca798ffc9a9df0e7053fba74bee0417046b7
SHA2569d044a27400ef3a36b52c547ba8351b90ab784c679ff63fb083aa13ab4f966b0
SHA512cf3bda43429b66d2ef557e7ba1a9a3fefc4b3fb83b038a7f2ea26a66a9a8f9816c65782e52a111725f9b555fb299d0a716a07b7b31513c886309171239aafe40
-
Filesize
7KB
MD53869ebb2f25f530c3163cfd1497de72c
SHA1b29ba5774fd66130b8c9d260c7d3026055968daf
SHA256fcbe30151d567be2b009d5389a3a8893cd330667f0c3cc9fa569f111659632ee
SHA5128dbed7ebc791ddaa689ca18c4ea99505536d56d88454683eb4b729a48f633cfcc53509533694abf34fbb6cad400935fea2d6d52e8475f1804a6186c7b7241dd8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q38sqp1f.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5f8dfd1b961127f7acf21c6f0e6108365
SHA1a0636d162c8dc670338c4f2bdcd4bfb401db5d5b
SHA25629fd77eb3460cd2f0558b251b66a697d0fb48720fc7301307dd829a669b84e2a
SHA51246d2f4021fd2ee2a81a644cceaa8aebd2c9f0e27d978b58e45de421eb49893195a24aa6b2de6fd9534678dec68ff19a55698617d82c522079cc67b308816f94f