Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-07-2024 13:15
Static task
static1
Behavioral task
behavioral1
Sample
b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe
Resource
win10v2004-20240704-en
General
-
Target
b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe
-
Size
1.9MB
-
MD5
eab77268e7ef4408f7c9a45c8e3c2d3d
-
SHA1
65225c6a2a6d6f52e01a06441634989d406965a5
-
SHA256
b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0
-
SHA512
0f37aae6ea10b4c7ac7e4302d9e7be0df055605c99c48914cbe5bd650dcf86ffb0727aa836bcf0a2dd6e842bebcef58acc31911dbd5f8bc4dc5ec7816d3bdbbc
-
SSDEEP
24576:s4myvlZoNUJq3gZsSiTiugTteUtS265Nl6mFJzIAvDRZ1PuutXfqEddN6fSTO:sFyvlCHYTeWev26PZFJzIeDVHtHBO
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exeexplorti.exeFBFHDBKJEG.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FBFHDBKJEG.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeb113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exeexplorti.exeFBFHDBKJEG.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FBFHDBKJEG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FBFHDBKJEG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exef66a12a266.exe735496ab4d.exeFBFHDBKJEG.exeexplorti.exeexplorti.exepid process 2424 explorti.exe 2576 f66a12a266.exe 1504 735496ab4d.exe 4460 FBFHDBKJEG.exe 5556 explorti.exe 3208 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeb113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exeexplorti.exeFBFHDBKJEG.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Wine FBFHDBKJEG.exe -
Loads dropped DLL 2 IoCs
Processes:
f66a12a266.exepid process 2576 f66a12a266.exe 2576 f66a12a266.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exeexplorti.exef66a12a266.exeFBFHDBKJEG.exeexplorti.exeexplorti.exepid process 4036 b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe 2424 explorti.exe 2576 f66a12a266.exe 2576 f66a12a266.exe 4460 FBFHDBKJEG.exe 5556 explorti.exe 3208 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exedescription ioc process File created C:\Windows\Tasks\explorti.job b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exef66a12a266.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f66a12a266.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f66a12a266.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exeexplorti.exef66a12a266.exeFBFHDBKJEG.exeexplorti.exeexplorti.exepid process 4036 b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe 4036 b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe 2424 explorti.exe 2424 explorti.exe 2576 f66a12a266.exe 2576 f66a12a266.exe 2576 f66a12a266.exe 2576 f66a12a266.exe 4460 FBFHDBKJEG.exe 4460 FBFHDBKJEG.exe 5556 explorti.exe 5556 explorti.exe 3208 explorti.exe 3208 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3236 firefox.exe Token: SeDebugPrivilege 3236 firefox.exe Token: SeDebugPrivilege 3236 firefox.exe Token: SeDebugPrivilege 3236 firefox.exe Token: SeDebugPrivilege 3236 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe735496ab4d.exefirefox.exepid process 4036 b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 3236 firefox.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
735496ab4d.exepid process 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe 1504 735496ab4d.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
f66a12a266.exefirefox.execmd.exepid process 2576 f66a12a266.exe 3236 firefox.exe 1276 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exeexplorti.exe735496ab4d.exefirefox.exefirefox.exedescription pid process target process PID 4036 wrote to memory of 2424 4036 b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe explorti.exe PID 4036 wrote to memory of 2424 4036 b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe explorti.exe PID 4036 wrote to memory of 2424 4036 b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe explorti.exe PID 2424 wrote to memory of 2576 2424 explorti.exe f66a12a266.exe PID 2424 wrote to memory of 2576 2424 explorti.exe f66a12a266.exe PID 2424 wrote to memory of 2576 2424 explorti.exe f66a12a266.exe PID 2424 wrote to memory of 1504 2424 explorti.exe 735496ab4d.exe PID 2424 wrote to memory of 1504 2424 explorti.exe 735496ab4d.exe PID 2424 wrote to memory of 1504 2424 explorti.exe 735496ab4d.exe PID 1504 wrote to memory of 4236 1504 735496ab4d.exe firefox.exe PID 1504 wrote to memory of 4236 1504 735496ab4d.exe firefox.exe PID 4236 wrote to memory of 3236 4236 firefox.exe firefox.exe PID 4236 wrote to memory of 3236 4236 firefox.exe firefox.exe PID 4236 wrote to memory of 3236 4236 firefox.exe firefox.exe PID 4236 wrote to memory of 3236 4236 firefox.exe firefox.exe PID 4236 wrote to memory of 3236 4236 firefox.exe firefox.exe PID 4236 wrote to memory of 3236 4236 firefox.exe firefox.exe PID 4236 wrote to memory of 3236 4236 firefox.exe firefox.exe PID 4236 wrote to memory of 3236 4236 firefox.exe firefox.exe PID 4236 wrote to memory of 3236 4236 firefox.exe firefox.exe PID 4236 wrote to memory of 3236 4236 firefox.exe firefox.exe PID 4236 wrote to memory of 3236 4236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe PID 3236 wrote to memory of 3228 3236 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe"C:\Users\Admin\AppData\Local\Temp\b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\1000006001\f66a12a266.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\f66a12a266.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe"4⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe"C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGHCFBAAAF.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\735496ab4d.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1900 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc6489f4-0948-4c36-9d26-650ede3b82c5} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" gpu6⤵PID:3228
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4669a321-45da-426b-aa64-f49185e6b573} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" socket6⤵PID:1628
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2884 -childID 1 -isForBrowser -prefsHandle 2780 -prefMapHandle 1400 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {372fd3df-41f1-40ed-9929-e23a08f7bb8e} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" tab6⤵PID:3192
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3eb57011-3fdc-49af-b990-94e599b9b9c2} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" tab6⤵PID:4140
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4776 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4852 -prefMapHandle 4796 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7a3ba7b-4d1c-4914-b682-b359fda54e5e} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" utility6⤵
- Checks processor information in registry
PID:3464 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5604 -prefMapHandle 5516 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45e1a86f-8fe3-4a87-ac48-71a5c6fbc188} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" tab6⤵PID:6056
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 4 -isForBrowser -prefsHandle 5680 -prefMapHandle 5684 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f393b090-4220-4045-9568-907cde26de1c} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" tab6⤵PID:6068
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 5 -isForBrowser -prefsHandle 5964 -prefMapHandle 5960 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b47d85d-2b6a-4f31-bef5-d3f49fe8bc71} 3236 "\\.\pipe\gecko-crash-server-pipe.3236" tab6⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5556
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5254c79a37596cb57a3a5bd32a0ece0a6
SHA1257733ffc6184473acc2c2a5c2d1f56bb8a25565
SHA256c589e3db12491752f3b5f331966b817082ffba20e28abace9834061af0da4f16
SHA512bdb64ed4cd839a7b0311e95a6c4690ccd06781e6903e051b27fd728fec7020fa84b40c0ab3e0b91321ef94b0acdb77a4e34c9606d906ea2a079124f9ae6aca50
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5d751ca6a36d3bf0daedbb3560c5dca6e
SHA1fb46aab0d7f8f7cccbcee4df37a413deff1527f2
SHA25621f7c1a57614f954bf498bada36ab67ba38e321e4b2b3f80b5e161fb4ae0c539
SHA5122cde1d637a3de9a2e3c0dbf1b7dba384dcfcd7ce7be8aee28691b8671649f616779a89b721157499fd5a090ed20c71091f606907cd9a92fac43439ec6d82a6e5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5ddf28fcf239331ba7cae3ce3043577c3
SHA117cc67d1d4625b379d40ada7c70f9a618e26f377
SHA256d7808c1072462edb58d96b12729dc6a02510fdf4ac6b2a6b27e234fc6c90cce9
SHA512e27168c39aaf7cb77c938adde8b031bce7900a37a7163b108feeb54e39ac1234e8fd26c3ac413851e9a7871fb52c36ab0868cdc1c4c0e2b9f5386c8fba4ce7e1
-
Filesize
2.4MB
MD520fe4b16d13a547a5d7f4dbf543b595a
SHA13c59aca1c693efb9923f04c312fdcd47388d24eb
SHA2569be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04
SHA512c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e
-
Filesize
1.2MB
MD5bea6ed281b600eae06be252f581721c1
SHA125fae547b4ad0a74bcc0bdf7e819f2c56d8be05d
SHA256d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf
SHA512746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42
-
Filesize
1.9MB
MD5eab77268e7ef4408f7c9a45c8e3c2d3d
SHA165225c6a2a6d6f52e01a06441634989d406965a5
SHA256b113461bdd757e057fa25bcb8eea906198345e4e22d96dc4a23c1631018343a0
SHA5120f37aae6ea10b4c7ac7e4302d9e7be0df055605c99c48914cbe5bd650dcf86ffb0727aa836bcf0a2dd6e842bebcef58acc31911dbd5f8bc4dc5ec7816d3bdbbc
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin
Filesize8KB
MD563ec9159550496ee4f5604ca2eef894b
SHA1c17ab37bd5911eaf061d4197a1edd2efd625e137
SHA256152f72ae7a895e7383f02c7219451c85432b3415b16e47ed7f17d4fe0bb6c309
SHA512847f23bd8e90ae4748ed369b9c7ca2c2203bea147a7b8d6501fb20f220803b7551ff9e1454860d55c016f6797285fdafdc2dc848693502616f51ca1f5fd30aa7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin
Filesize12KB
MD5a9db8a61c7f1ca47c7ad6d232bdb96cb
SHA18b94ef67e1b77fb03f9047896c0354ab08a0e130
SHA256da40b17abfcad427ba10c969dfd44466352d35615416d5231ea68f9b2a633f8c
SHA512bc89e8a2d8c4684fb053b25fc33b75379e36f391fa45a0d11e3cc0314a123ab1354a97a5e33c030fd6e1c43acfa333b6e7fde2dda3c37ef48d6b1582b0422b3c
-
Filesize
192KB
MD55e0d1b47f9bbf070f0d5b00eaf81b4bc
SHA1579441da9650a2bb97bbb4773ea06b640f5804d7
SHA256157ed67bd4abd654faa859d6dafe86f70b07e68167889596590d017bea47d1b1
SHA5128c099bbf863e10b4b7648ee702cc220e9a7e299d3bb5a0b201e4318ca84badde509ea8c122bbe95cea3e735a0886a72d9e0080b7ebbbcd818a4398c202cbf7dc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD50aadbdb654845d553f3fdf79c689338b
SHA137f5e9215e267acdad567b4f81058749bfb614b2
SHA25654db244bf1b235586a1cc178b9c6494b145365ad461fe6e2a33f043f34e35621
SHA5125b7e786b17560e2c07b481445bfb6efd220e02f4d6e6e0607ecfad7790c7eb06c17d173d8c2a62da6d390a0ab583107430bdf80e758e918349ff239e7e3609a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD520b9bd71616a5635294d0c2c99e579db
SHA1db038f8034f8a8aeb456c84a5e1f2c7adf6be1ea
SHA256336b1c9f95966e3a60727c68e3c9b3c9f7ce9a25b75e445eacd755da832a3cf9
SHA5123470cfa9d4b3b97d4871bd9acb93a2aee831c9e6383429f2f244b496da57674b03d5ef9fb71c9a21f570db3cb144e743065d346647c6a90197c0f3bc34d06ef3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\06ff740d-edce-4a74-949d-38547fce409e
Filesize982B
MD56334cfcc9600f42fc48ac677feb522b2
SHA194fdab029d118610de04672486ca2f0270768fdd
SHA25679e1272b8223b2cf0fbad8b589f66b3622e5a85022cf9ede20b42dd1f6687ba6
SHA512b20c162421598bcc344b00c4b30ddacb7089ba74119f2a9784fce9a1ef2c7bfcc903134f95b0eedd3bd33e7baff55389f686f8158054074848bacf39008b628c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\3e12b008-a099-4c54-afc4-26613c172bb2
Filesize25KB
MD5f0bef563d730e2f5be5dcd838f6da07e
SHA10004fb42203faddef52371ba18acc815477cecc3
SHA2563365d426fe3d690fce5ae2ba899fda9ccf4a2fec13ffedb713519a1264e089c8
SHA512d34e7ff8d5aa83173c93ba25d9105406bf859b8a377c918553617e8cb383e79e746c8e4bb6a198ccea6c9c06fafa7558febf095506771d3c3fd6757b3d18549c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\605aa892-3d5b-43ff-92dd-89d790f6b1a9
Filesize671B
MD595fbc683478da35b3952c40b0f5724b5
SHA1260a5d3224388ee2fcb8fd3b05675a8bd9c79a80
SHA2562063f1207b6d1bd5b9ae5fda501f7e63efa332004d221c500fc2cf27c0cf311d
SHA5122c186c186718d86e8abed0805241eb189457021d2cae4ee4bd37911b7a7cf5abcca50a40a719e540ae30a330ca3e45bc13985f6952db8e4641256f31f3bdf1c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD5154b44d7a53b51811bc321db3349c1e8
SHA1395a3f5e44ae21efd924c1360988af787c4b5944
SHA2564fa6f0558fa603d07078b12076061dc60435597a2ee40479e9c7c370e4488819
SHA51275c9b0d15a8f0c07a88c01b83f62fcfbd0260eb562ca3ea3808983dec472ebe671dbff473430c96e2ebca58a907c3ed910bfafb08fc9ec830ceacdf66c481a0f
-
Filesize
10KB
MD585fc1a81016c337bf96f2654f294f191
SHA1d189744d2337dea5c0b29e8340e836813ad4f1a2
SHA2566e122f0f34bc71179cc135e55b19675f4d9083ff6dc11fcdbb4a99339b326f82
SHA5120b3b97536d977deaa109c1a20970d9ce178f06b59faf062d4f077531557dd69940f3690a339d4bdd18d9f98c9fd6f7d6dde3ea7fa9ffc43cb2586363f3d6c5de
-
Filesize
13KB
MD5e87e5375bbaa88f61d365a5fcfa4939e
SHA170a68c3e556c0a59bec67d0841c162c590406b8d
SHA2562fc8a42a6daff7513569382aa43198f4af37e3a9c6080336fb498f7e9036caae
SHA512953bc7ef2a51af8179ce90cd3d8bf02824a1c57adc5173671a3101c51f243e42fabc39eec2071f0a6ebda06149430b4fd2d03a6781452b3b7f4e1203563e4514
-
Filesize
8KB
MD52e6a723729693a1d116a02da0e854194
SHA1a3c788c856f4385d12c7cada226e2426c94e3a58
SHA2566e4f6655170e1f63e838212377ef13538ba33da15d5eb8b8eea39fe566a3f967
SHA512608f2c719d7859cf1b14dff512059041a49360a64be1794433b1abf8d68f0ebbba31ffc661d05e3b13695f3d17d8d2ba75ab2814e52a8aa6f3f2ded8409db0ab