Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 06:57
Static task
static1
Behavioral task
behavioral1
Sample
b0abfe65f6de9238e3b03b6d5e115706.exe
Resource
win7-20240704-en
General
-
Target
b0abfe65f6de9238e3b03b6d5e115706.exe
-
Size
1.8MB
-
MD5
b0abfe65f6de9238e3b03b6d5e115706
-
SHA1
217ab85c40c8b968fd5193eaba20b841bb09e891
-
SHA256
64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
-
SHA512
87b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c
-
SSDEEP
49152:Zy/ZdetC0vIdbKfBe/k00cvmp566B2Bi:A/ZdetCdbKJeBp+p566Ik
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeb0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b0abfe65f6de9238e3b03b6d5e115706.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b0abfe65f6de9238e3b03b6d5e115706.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b0abfe65f6de9238e3b03b6d5e115706.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeb0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exec5d62d3153.exefa37829861.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation b0abfe65f6de9238e3b03b6d5e115706.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation c5d62d3153.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation fa37829861.exe -
Executes dropped EXE 5 IoCs
Processes:
explorti.exefa37829861.exec5d62d3153.exeexplorti.exeexplorti.exepid process 212 explorti.exe 4920 fa37829861.exe 2348 c5d62d3153.exe 4492 explorti.exe 3172 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine b0abfe65f6de9238e3b03b6d5e115706.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
fa37829861.exepid process 4920 fa37829861.exe 4920 fa37829861.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exefa37829861.exeexplorti.exeexplorti.exepid process 2376 b0abfe65f6de9238e3b03b6d5e115706.exe 212 explorti.exe 4920 fa37829861.exe 4920 fa37829861.exe 4492 explorti.exe 3172 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exedescription ioc process File created C:\Windows\Tasks\explorti.job b0abfe65f6de9238e3b03b6d5e115706.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fa37829861.exefirefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fa37829861.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fa37829861.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exefa37829861.exeexplorti.exeexplorti.exepid process 2376 b0abfe65f6de9238e3b03b6d5e115706.exe 2376 b0abfe65f6de9238e3b03b6d5e115706.exe 212 explorti.exe 212 explorti.exe 4920 fa37829861.exe 4920 fa37829861.exe 4920 fa37829861.exe 4920 fa37829861.exe 4492 explorti.exe 4492 explorti.exe 3172 explorti.exe 3172 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 1456 firefox.exe Token: SeDebugPrivilege 1456 firefox.exe Token: SeDebugPrivilege 1456 firefox.exe Token: SeDebugPrivilege 1456 firefox.exe Token: SeDebugPrivilege 1456 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exec5d62d3153.exefirefox.exepid process 2376 b0abfe65f6de9238e3b03b6d5e115706.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 2348 c5d62d3153.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
c5d62d3153.exefirefox.exepid process 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 2348 c5d62d3153.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 1456 firefox.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe 2348 c5d62d3153.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
fa37829861.exefirefox.execmd.exepid process 4920 fa37829861.exe 1456 firefox.exe 780 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b0abfe65f6de9238e3b03b6d5e115706.exeexplorti.exec5d62d3153.exefirefox.exefirefox.exedescription pid process target process PID 2376 wrote to memory of 212 2376 b0abfe65f6de9238e3b03b6d5e115706.exe explorti.exe PID 2376 wrote to memory of 212 2376 b0abfe65f6de9238e3b03b6d5e115706.exe explorti.exe PID 2376 wrote to memory of 212 2376 b0abfe65f6de9238e3b03b6d5e115706.exe explorti.exe PID 212 wrote to memory of 4920 212 explorti.exe fa37829861.exe PID 212 wrote to memory of 4920 212 explorti.exe fa37829861.exe PID 212 wrote to memory of 4920 212 explorti.exe fa37829861.exe PID 212 wrote to memory of 2348 212 explorti.exe c5d62d3153.exe PID 212 wrote to memory of 2348 212 explorti.exe c5d62d3153.exe PID 212 wrote to memory of 2348 212 explorti.exe c5d62d3153.exe PID 2348 wrote to memory of 4612 2348 c5d62d3153.exe firefox.exe PID 2348 wrote to memory of 4612 2348 c5d62d3153.exe firefox.exe PID 4612 wrote to memory of 1456 4612 firefox.exe firefox.exe PID 4612 wrote to memory of 1456 4612 firefox.exe firefox.exe PID 4612 wrote to memory of 1456 4612 firefox.exe firefox.exe PID 4612 wrote to memory of 1456 4612 firefox.exe firefox.exe PID 4612 wrote to memory of 1456 4612 firefox.exe firefox.exe PID 4612 wrote to memory of 1456 4612 firefox.exe firefox.exe PID 4612 wrote to memory of 1456 4612 firefox.exe firefox.exe PID 4612 wrote to memory of 1456 4612 firefox.exe firefox.exe PID 4612 wrote to memory of 1456 4612 firefox.exe firefox.exe PID 4612 wrote to memory of 1456 4612 firefox.exe firefox.exe PID 4612 wrote to memory of 1456 4612 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 3020 1456 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe"C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCFBKKEBKE.exe"4⤵PID:2524
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJJJDHDGDA.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:780 -
C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a30d9d-90dd-4313-86e3-12dc431936f2} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" gpu6⤵PID:3020
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e2cc0ab-3e4e-438d-8923-f0187707e339} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" socket6⤵PID:1876
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 1 -isForBrowser -prefsHandle 3336 -prefMapHandle 3308 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e2f735f-d5a0-4add-ab9a-fca7c62fdc12} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab6⤵PID:1112
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1272 -childID 2 -isForBrowser -prefsHandle 3840 -prefMapHandle 3804 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0160328b-eb88-455c-ab90-7f186ffece5c} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab6⤵PID:4024
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4484 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4512 -prefMapHandle 4508 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acae76a3-344e-4463-9868-356f9156da4d} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" utility6⤵
- Checks processor information in registry
PID:3092 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -childID 3 -isForBrowser -prefsHandle 5408 -prefMapHandle 5404 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6186735c-d288-4169-894e-87f99fea9624} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab6⤵PID:4600
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f489f45-ecf5-43f6-a7af-7f80bf7f82a0} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab6⤵PID:3832
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 5 -isForBrowser -prefsHandle 5748 -prefMapHandle 5756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a1469da-7e1e-4536-a265-920cdfd4ffe7} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab6⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4492
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json.tmp
Filesize21KB
MD5fbd17f2379497865d3192df4b37e79de
SHA15388ac93add7d36396c83b3d5ac226ee11d6b8d4
SHA256d1bf921a657843c79965b7b62d724c3dc2131b2115b9a5a718a7bd2bc9d758ee
SHA5124404ccad01ee27c86dda5a1062333f51a32f3053a0503967d683f4f0adfe23ccfba25d7cc3a58f4c4e35159cf93f79775fc59a864a4d50be29a0698aa3b898b5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD51d70bf93e4083674d855926eb723695e
SHA10e18bb0a47bb34fbd87d935e50e35e85ce747a0d
SHA256f0819da6da19816cf54f8f93f95407d028eb7e083285fd21d7d1cf1afbf5c19b
SHA5127a85ea3a864da78b05fc0000719f1a22a3f806b453cafa57fd27ee826058914cb0e2064d2f053d0784d4b094d0a6bb83436223ec913dc5602a3cf86d8f9cc9fc
-
Filesize
2.4MB
MD5e0525803e9e18b3e3a73b6e999b40284
SHA1f92b719f6e774c35836a582cff902f3f5f54c6a2
SHA25659d115c4f1a0035301f09d9697f988c7f667d0131582dfa7a28990fc02baa086
SHA512dbf56d01de700a74c757dee971b146661c93d284590813b7eba336235eb32aae076060f45467a84eb2541db9926a0cdb66af1b8885f7a9c07420ebc58da2c81b
-
Filesize
1.2MB
MD5ba9b2fddc74af8c0091d45323f0dfab1
SHA1df227f6f8ed7f146376c53286dccd7c2f5e70ad4
SHA2567b4b96aba97bf47462ed86bb7a3dee58092352428a8aa0afc0453d28490054f8
SHA5127f83f5805ac0dc37d71b945732475f239cf56c03ec49a5e0fd759d84d5b545ceff1d9ab845cc33250898246bc14368a7afb5b7b05b9e8ca2c7cab328a5e6b10e
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
1.8MB
MD5b0abfe65f6de9238e3b03b6d5e115706
SHA1217ab85c40c8b968fd5193eaba20b841bb09e891
SHA25664d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb
SHA51287b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin
Filesize11KB
MD5ea17b1aff1cbe6734592db4331a6f1dd
SHA16f8ce03053b18bd18801099f467ddf4282e67fb7
SHA256bdafbf821ee36beee2bad91da5a0e177da20c05a3687ea266561a61558079491
SHA5123e93af89b116a8d86eaa5297003fd9b731c1ec4c32a21e3d1f61415e0aebb8cc0259430a31b89afd34c3d7653e08cb535dc57a2577214e70b36e073298963399
-
Filesize
256KB
MD5d7fc50cf1f2f048c172a4e9af9310d7a
SHA1a997d894331831fbf7c47deddf96e2790f23e6a9
SHA256011c38b836293164508af64cd753372bb8ea496e5b7c2afcb6a1a644c4708716
SHA512ee23cdb65b80871f9059c2e88c6f6be925023b88a37e9db67ea3307230426247e2554a5e5d2f1adc5ef46eb4697c4bec24a844d0c429fb4028035ded561e7b51
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5ab2764dd8f892b627cf2870116426d98
SHA15fe4af6c09710db95ff5314c8f57f06062eae1e3
SHA2563b25fbc1f54ee590bb614d3eacd57fe8ef9c6f325621c511206f6be792e9b40b
SHA512d74d2b7fbe774f516ec5cfd6ab3bfcba7a18105c1c111ba20a51540dfcd0d9699cb80b677e156424112d188bfdae7c511312a2489692b0e250606086a69a7935
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5411d6e48e3d15d717529d0937b3a8ff8
SHA1cdbc02caaac929061489216588b1312057f74f8f
SHA25670a837a1b0d4f3283b35409df3170c53481293b5ec3721ba0823f57f91d8bad4
SHA51240b44be8f382e593ec03aa3b305867371d75eed3e5e1c7ba378fa9b26e61ae056132d779279b62996c47aa28c848486cf1c389862b8e6c1bfedefbf9c0fa53fe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD510daa2fdd91dcb164716f987de96df19
SHA11691dc514679fe05a2f98cdf20d4abec87492697
SHA256109632a20fae73f92f1ada54e4987914fd9145dab46aa9a95e73e569000414bd
SHA512fb86e8f31d1a618dbafe5b5fad6beab809bf94f671baf47c3dec1452d551017a86907a6deaec87446a062d585b5cff061368ba5d320a2e2ecd4fe5fa01fe02bd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD552f91584edd12db724e711836beb9292
SHA15444ffd12931d96d536f13d5a57a22439dbfd45e
SHA25643c1501e05bcc992cbb8fcd75242d29804240da7678f93952807002fb0ffffa3
SHA51290a7767bf1a900efec06c5dad533dd3cf81b6c986de3925bbe392e14c356a864d8b4cb0b3a7f7e16725d0a8f603ac79d6698cd8d6ca5aa018ffe10722d44c472
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\0aef2533-a02a-4f11-9766-105e23402302
Filesize982B
MD5a196a80fd6638d8ad2080873654ef498
SHA1514ee9e9715b814a1a4a3353fc660d86ea9b3db8
SHA2569a87968f5b692e720928dd7db900d4dc4e1592b7672c6b7aaa4f1fb9a5ed4e7f
SHA5124950c88c454404e9c6820d7f321350bfb0f06a1eeea9208858d359671a8b2acda6292c8496c12c3bf4507392e8688588dc9cf7be19b32df141360a2bdbfda728
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\5ce19d1b-1ffa-489c-85f1-57904f47ae45
Filesize671B
MD5c7ed9019b11161c35d203894eea2745e
SHA1337aa27bd4addca774f19c8c36db3b900cb99421
SHA256ea43479cab64731e017dd130e596c922f35a1be7017d2be4419ac1c1b2a5b3c6
SHA512f2c39f6c188203c604e0e1d0bebab79e3ee10365f48f2ec0f88b4709c0be8c82e8f4d5f0111bea8d0b3b36e2284d6abeb427ef9c5c1dc3827638425a3bfd1710
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\f4eb84c9-5dfe-4261-9dcc-51dc65804b52
Filesize24KB
MD577380e908036ddb99aacc1d66fae49be
SHA1b6735c270793cb65af2be838120569d1eb7f6aa3
SHA25638421f3376301cc718e091c8d783884e92eecc056f086dc12631cb2bd36c626d
SHA5121cab780f25a3419de2dbe083855f348004dbe9d1e19e461153982dc51baac8b69ee8370c13d165f697664114e002c9be675b5ec48a0f4e08d9773e1cbb82cf46
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD5f501101059501e1e347a03278417dff6
SHA199d5e6b28da6b4f142483dd4f74d3fed64c32c36
SHA2565bd4241b67ff24cec77352e64f158ce744032f0d35ae899d1fb8564dc7153834
SHA512fca10eb528fc5acebf288dbb5448b5fb58102b012bcf3342ec0ced75d1a497a9d9e0dcadb29eedd7fe3e4f4d86fe4ee258c0965f2606b76c068baf396cafcd9a
-
Filesize
13KB
MD54b959cf331ebfb4f099c8c666c2d96fd
SHA1f5478583c41cd7747f1d58167dba3dc08d1c331a
SHA2562da15fa7cd6b499263473d420001e519b124b4c7f6f87c7db15aa099ec348bb9
SHA5122d7a01f533e3d961b8853815380a732903511366cc0723a4442a4cdadbced441e3a2fb017e6c1d5efd07979d833cdcc64da21ee1e61fca244d2a7aab5cf48e3c
-
Filesize
16KB
MD59f2e9942fb0d2e1a9a7b715763791f9a
SHA1a6bdb52306f98946a52341f19a280ffee1ddb9bd
SHA256b6921e8015a58e94fe96122d6fa2f553dd92044981a69bf892084ce24d43987f
SHA512700ff60d6ea1da090f03212dc5a162a3a43332a5111dae0292a83cad44c185610053d8647a16acc48f5b69638518e58e8f30d92c6fd1e915b877dd03ac2a3e33
-
Filesize
8KB
MD5b9dc5b2790fa9be73ec939d99e0c7132
SHA1aa1a66a6b1b7516598687fe2b5ca00b84d3d7305
SHA256b32bbaaeb227f7bd5224e139df406165fec96c3d87b2f05488f3593961388e1a
SHA512f1431c9822ab8f4ea9ee8b5fd766ab85806a23b49326105020d8ed5fa1e7a317a3a0d2ca76fe9b491e07285df0271cbe6c16f6e926b6217e51c87518a9fb2759
-
Filesize
11KB
MD52687f09dcaca1f9d820acb21eb60091d
SHA13bc9246c724eba8d1f9c950a32b04eb0c73f76c0
SHA25618ee7d29efa5fed2da9648fc493409e993e0a61eefc9beea5b761e15d4f395f6
SHA5123a3d89c5c924048d79e26939ef19227f91d6e6aa4c25bd444b47386b44003ffb83c229f0bb864a0b20785451cbc34381595a77cd87c2ef574b698b7e8a8c7ef0