Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-07-2024 06:09
Static task
static1
Behavioral task
behavioral1
Sample
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe
Resource
win10v2004-20240709-en
General
-
Target
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe
-
Size
2.4MB
-
MD5
08c7502b3315ce651b6b57849c1d7308
-
SHA1
25d8366a04fca7105e7c38eac267ab787456f8c3
-
SHA256
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
-
SHA512
d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d
-
SSDEEP
49152:JZtQ7s/0xcupfZA9HtWtVvFqFn3rmtJMNo:J0rfZQstaFbSQ
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
FHIDAKFIJJ.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FHIDAKFIJJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeFHIDAKFIJJ.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FHIDAKFIJJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FHIDAKFIJJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
FHIDAKFIJJ.exeexplorti.exe26dc005c05.exe73672817a3.exeexplorti.exeexplorti.exepid process 2664 FHIDAKFIJJ.exe 2968 explorti.exe 3384 26dc005c05.exe 2844 73672817a3.exe 2732 explorti.exe 1424 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exeFHIDAKFIJJ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Wine FHIDAKFIJJ.exe -
Loads dropped DLL 2 IoCs
Processes:
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exepid process 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exeFHIDAKFIJJ.exeexplorti.exe26dc005c05.exeexplorti.exeexplorti.exepid process 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 2664 FHIDAKFIJJ.exe 2968 explorti.exe 3384 26dc005c05.exe 2732 explorti.exe 1424 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
FHIDAKFIJJ.exedescription ioc process File created C:\Windows\Tasks\explorti.job FHIDAKFIJJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exed25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exeFHIDAKFIJJ.exeexplorti.exeexplorti.exeexplorti.exepid process 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 2664 FHIDAKFIJJ.exe 2664 FHIDAKFIJJ.exe 2968 explorti.exe 2968 explorti.exe 2732 explorti.exe 2732 explorti.exe 1424 explorti.exe 1424 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 5024 firefox.exe Token: SeDebugPrivilege 5024 firefox.exe Token: SeDebugPrivilege 5024 firefox.exe Token: SeDebugPrivilege 5024 firefox.exe Token: SeDebugPrivilege 5024 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
73672817a3.exefirefox.exepid process 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 2844 73672817a3.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 5024 firefox.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
73672817a3.exepid process 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe 2844 73672817a3.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.execmd.exe26dc005c05.exefirefox.exepid process 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe 2292 cmd.exe 3384 26dc005c05.exe 5024 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.execmd.exeFHIDAKFIJJ.exeexplorti.exe73672817a3.exefirefox.exefirefox.exedescription pid process target process PID 3472 wrote to memory of 4924 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 3472 wrote to memory of 4924 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 3472 wrote to memory of 4924 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 3472 wrote to memory of 2292 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 3472 wrote to memory of 2292 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 3472 wrote to memory of 2292 3472 d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe cmd.exe PID 4924 wrote to memory of 2664 4924 cmd.exe FHIDAKFIJJ.exe PID 4924 wrote to memory of 2664 4924 cmd.exe FHIDAKFIJJ.exe PID 4924 wrote to memory of 2664 4924 cmd.exe FHIDAKFIJJ.exe PID 2664 wrote to memory of 2968 2664 FHIDAKFIJJ.exe explorti.exe PID 2664 wrote to memory of 2968 2664 FHIDAKFIJJ.exe explorti.exe PID 2664 wrote to memory of 2968 2664 FHIDAKFIJJ.exe explorti.exe PID 2968 wrote to memory of 3384 2968 explorti.exe 26dc005c05.exe PID 2968 wrote to memory of 3384 2968 explorti.exe 26dc005c05.exe PID 2968 wrote to memory of 3384 2968 explorti.exe 26dc005c05.exe PID 2968 wrote to memory of 2844 2968 explorti.exe 73672817a3.exe PID 2968 wrote to memory of 2844 2968 explorti.exe 73672817a3.exe PID 2968 wrote to memory of 2844 2968 explorti.exe 73672817a3.exe PID 2844 wrote to memory of 4832 2844 73672817a3.exe firefox.exe PID 2844 wrote to memory of 4832 2844 73672817a3.exe firefox.exe PID 4832 wrote to memory of 5024 4832 firefox.exe firefox.exe PID 4832 wrote to memory of 5024 4832 firefox.exe firefox.exe PID 4832 wrote to memory of 5024 4832 firefox.exe firefox.exe PID 4832 wrote to memory of 5024 4832 firefox.exe firefox.exe PID 4832 wrote to memory of 5024 4832 firefox.exe firefox.exe PID 4832 wrote to memory of 5024 4832 firefox.exe firefox.exe PID 4832 wrote to memory of 5024 4832 firefox.exe firefox.exe PID 4832 wrote to memory of 5024 4832 firefox.exe firefox.exe PID 4832 wrote to memory of 5024 4832 firefox.exe firefox.exe PID 4832 wrote to memory of 5024 4832 firefox.exe firefox.exe PID 4832 wrote to memory of 5024 4832 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe PID 5024 wrote to memory of 3236 5024 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe"C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe"C:\Users\Admin\AppData\Local\Temp\FHIDAKFIJJ.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\1000006001\26dc005c05.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\26dc005c05.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0970aa4-7420-48b8-a72b-d2793f4bbebe} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" gpu8⤵PID:3236
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2312 -prefMapHandle 2328 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbcf5138-d79e-4e28-b1ca-0ce3db864863} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" socket8⤵PID:3212
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3216 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abe896c3-f84a-495f-b630-3fbe658e3cc4} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" tab8⤵PID:4844
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3616 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2285e0c-835b-41e6-ae32-3b381e5054b2} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" tab8⤵PID:3244
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4432 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4568 -prefMapHandle 4400 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87991970-55ff-42a9-a67a-cb44ee318548} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" utility8⤵
- Checks processor information in registry
PID:4968 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 3 -isForBrowser -prefsHandle 5496 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfa1d778-5831-4856-ace5-c490ad554d2f} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" tab8⤵PID:1612
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5664 -prefMapHandle 5672 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65444d8c-dfde-4d98-b08b-190daadebd72} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" tab8⤵PID:3540
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5844 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dfec077-3987-4b50-84da-ff60f4cfea9c} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" tab8⤵PID:1428
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGDGHCBGDH.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2292
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2732
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5e923e7fdacbf535cc2e617fea862fda2
SHA1a60fd3c54df0b7604f22417b8d39d8efda1abc72
SHA25616977839ee713ec9528ab8a3326b99f0c0c65b59c0be156fb3e3fcfc9f5eca25
SHA5127eeb4e5a156085b15a5171f99e9aeba3061c51212376905fec2c1d0f0dc3640c683f798a0af4a1d80e1579bcb76dbf0f401979f87639c7aad0c381183c441bcd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5e92aba46c64cac912ff70246d1e5a9e0
SHA129764cb543e59d0c1aa748af35db225f50ccb3ff
SHA256b1a6dfadd4b8f498bb50f63657eefa19bfb92d9a35e58a93d5f8b9ca61ce6e09
SHA512752b69c44f9c06e1abfd2021b9d9631c0c6923eaf4015665c758b23b9583b352c77408c922c9469f16b8441465f316850ee5bbaaea8443d482ce2b36fe2e1e83
-
Filesize
2.4MB
MD508c7502b3315ce651b6b57849c1d7308
SHA125d8366a04fca7105e7c38eac267ab787456f8c3
SHA256d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA512d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d
-
Filesize
1.2MB
MD5c9d56cd0a203897f2a7e757c6f56367d
SHA1f3ce65c3ddbc08ed507de1486992ed5d4dd67b6e
SHA2567f797431b98fc646e12d1c85be00527bd78a991830dc5160188ab77854959f4d
SHA512ad06efb0e7c6fd32c4e19929dd63bf4e53562f03ab9a96b8f45a115361cacb984aa2bb0600dffd1d9f68d2a60fb781449097fe1cfe78c10b3d9a2c2f3cb2c63e
-
Filesize
1.8MB
MD5a7a231ef5b7166696111b8b2151f0b2c
SHA14ae6e23e6a4c23dc421775a7a55f2329aa975d5b
SHA256c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d
SHA51227756ffd4b67dc8034ef3d168fae3ba042da75ad7a5a530764bfd9418c8ed79f9b1edf056633e3d0d89c974a57e704a11ea923bed13e81e0beefdc43f1b7fb15
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin
Filesize8KB
MD5a5d33ec9e40fb7fbdf52ee87fa533ab7
SHA14bdf5ed1eda3501814e31a2b9b49cade874463b4
SHA256f50a718cd64d312c22af9d4ce917237526b6f5a85630f7ff13b4cb2b89b949d8
SHA512f71c94c14cfbd359421032e0a603b18e0f9801b4c6fb12ff2233bc02df80b21c85993730f71b6cdede36a0805c887674039b41f92df233e51378f54ddbe3460b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\AlternateServices.bin
Filesize12KB
MD544353d444f92c370e3770ada5f88084a
SHA1bdd2cbd804a283817ce6edd88e81d5c2d6f754e3
SHA2561b7f34a20c862ea7fca356d7b81c83673500dacb753026c980d04f00343e24a4
SHA512961a1f943e98daddbd5e2dee69b626eab7daede03b63c059b4a6528b5ad48cdfb66ff94a3a94b0fd9c67124df8fdd475c57179e0831e9ac2cc9f060380ed498e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5900514b23ddceae3e9f6d002359c620f
SHA12859dbd9d98654bddd894b1cab6eed1570baa717
SHA2566c17599af47ec5467aa6619395ce5ed2e07c04f03bfc875370ae3b5865bc63fe
SHA51274283f03a7ec2463aa1a0bcd556c8be3281379f96b395e7229176773c31948b916a84cb4a5cfb16ecce154015602d929c2ddb4e6fa5d723ff61126ae843d16e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5f1696abc0e81cd8ef46fe54c8421559f
SHA188568243edd8c599f878f9cceffa020ce0c38c34
SHA25624ad9dae46263be6c956d674261d73c114c37c0f7df113e70e793f7b761cc96d
SHA5129199dc937449257676a8707e9f7ff15e45037a915955c6acf7158c504b876ceb9c1fec068615cf9c4c24f18e18df9b1c2abb78f78da177249886dcc111d3437e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5956cb816c367dfcc0f57ff6f8966484f
SHA17643ae1e9bbd80f2ba6bdddbb370ab3a501ac246
SHA256dd312e38257d71f407f3cc1824cef8bd53c0d437f35e6233bdc9286b33ac2ab1
SHA512178a559b8caa26c2c3801c88cbec53d1f5379c2bb3728e63af049cdb9505c5faf0438e0cf462692d4c6052d75d091dde2fe626137c651b2bf1743f3642aa8a78
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\26617b8b-4c46-4592-a989-85e9dc52d6ab
Filesize671B
MD583c2c2758a23b0a68d33d43480640ac6
SHA108fd6898ad19a7838b713ce0d5fc46b2dc10ef45
SHA256af91ce1898b2256f67186e92ab286472971cec3472c277f4f6c15169dddb1a7f
SHA512c6e15251d6426cf294806f3633bbb93df8dc11aa2a7850f9b91248d9861d1ec23c61c9aec02ace1bce56e77d79ca08f5afa801b1dc687feedd39951f36d93335
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\4636df95-23d3-4981-bc37-7b5073c8b414
Filesize25KB
MD5e43b5b22bc6c1050b69a70ba9ad929be
SHA1886b2ee4624566301cf9f9e53e0819b59e73ae54
SHA2564397b0103f7989224e1ee01d705391f44c27ec6c6266610314dd383de42c7a87
SHA512d98e4f89fcdcf26ff46833f55a28e05b5312a534382b118d208c25edd6dc8fb6458de4cd82d1d0007236cbfa2054022c857e87799ca93040ab4a92ae7826d934
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\datareporting\glean\pending_pings\73062e86-9cac-43ba-aaab-2fa468db4c65
Filesize982B
MD556da6cc89617076bbb97fbf4a11d32e1
SHA1549e501da1266ad7252ae15fe10e73a73e779756
SHA256460e7c84bbabc01b30df3f1ad666fe0f94665dd637761c0a0636029671adaba5
SHA5126a48902a942c7f3cdda1b011fafe564225f07a829dc196ffd42d1a8553df48707a1f56f2be4ccc60a00e0f12abf07ee0b02fc67661d3ba0f0e8cf6d9bca9af1d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD55652f1dbc4a0f838139dffe0d16e76fe
SHA1239bdb10b4b512a9988655558f77f82ff7599a7f
SHA25664fcbe258f7788129cf54f9edbd2f1c4feb3d39b3d9ebf0d62f0fe0843b5efd7
SHA512f596f6230a9d44778538ef1ad5282d81cc0cc7b7e9265387d2e779448af508412a485325365773f4369ae244645a435fc67ea4b763cce586a5ff616e1e5f1782
-
Filesize
11KB
MD58254b574891fffed6ef5175fd7ba6f4f
SHA1c1b16de70536753f98c806daa51d1c1f3867827e
SHA256e715af75f970938aa6be8a2ca1c8003c34026351df30b40d3a1aed0cee366046
SHA5122185a99904bb6f13daa96e3a00552af03e3103d141f3771a02e93f01fff42761f6a4e1b5b49975a73506f7dfef068e03bdc7251a5b09768c1659b1cf3ffac653
-
Filesize
11KB
MD5ff8d26327ce9170cd9247dcabaa9e71c
SHA146c0c530fff0e7ecb45725b593204cb9229ba3d2
SHA2561aa78d40777ce90a46acfeab0c987c4313b61d204f0b7086ea8234b47e1cf108
SHA512aa34b5ca4d961df7c178c829470541e4377f901865eaa0ae4ad6fb810f76dbf7d0c7a83797e195816441338992c26583506a77c55e07f12ae30ac4fbee5544f8
-
Filesize
8KB
MD5ec131422acbf09d378394a407b9a30fe
SHA155f474557f74880ae0ff04f33ced4c68fd5f385b
SHA256e54f2981f6cc43f4bf1abb3bbe03bbf9a80ce2857e960a49a9bb8970d3fabe61
SHA512e291cb9e372ca97b5dab66821a8dc72ad8578e3db46d29b4c8639b2536f47db16968e4ebb89bd8056fe35a3a841260409c3a17e07b9d1cb2a7479afdf2251e40
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7qnbgwy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.2MB
MD5e6521633a0724f0ac9cb3fa6afa6beb9
SHA1854a6b1334ea3b471d3a54f484de3d28103e0c48
SHA256894ff64cad662f87d85232e0d2bf821ea6665edfa95d60dff1f55b423f5a896c
SHA51206b02fe8471d6fbdc5e923482bb856a72da1e3ce387e864c9b5829e861db347fa8d12f6183834023ecb0bb62067dfa78fcf9f0a14eabd929fe4d125d66f561fb