Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 06:13
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240708-en
General
-
Target
file.exe
-
Size
2.4MB
-
MD5
08c7502b3315ce651b6b57849c1d7308
-
SHA1
25d8366a04fca7105e7c38eac267ab787456f8c3
-
SHA256
d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
-
SHA512
d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d
-
SSDEEP
49152:JZtQ7s/0xcupfZA9HtWtVvFqFn3rmtJMNo:J0rfZQstaFbSQ
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
explorti.exeexplorti.exeexplorti.exeGIECFIEGDB.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GIECFIEGDB.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeexplorti.exeGIECFIEGDB.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GIECFIEGDB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GIECFIEGDB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.execmd.exeGIECFIEGDB.exeexplorti.exe28a2604c3e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation GIECFIEGDB.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 28a2604c3e.exe -
Executes dropped EXE 6 IoCs
Processes:
GIECFIEGDB.exeexplorti.exe184073f30f.exe28a2604c3e.exeexplorti.exeexplorti.exepid process 920 GIECFIEGDB.exe 1436 explorti.exe 4912 184073f30f.exe 4160 28a2604c3e.exe 3288 explorti.exe 5880 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
GIECFIEGDB.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine GIECFIEGDB.exe Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
file.exepid process 4476 file.exe 4476 file.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
file.exeGIECFIEGDB.exeexplorti.exe184073f30f.exeexplorti.exeexplorti.exepid process 4476 file.exe 4476 file.exe 920 GIECFIEGDB.exe 1436 explorti.exe 4912 184073f30f.exe 4912 184073f30f.exe 3288 explorti.exe 5880 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
GIECFIEGDB.exedescription ioc process File created C:\Windows\Tasks\explorti.job GIECFIEGDB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefile.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
file.exeGIECFIEGDB.exeexplorti.exeexplorti.exeexplorti.exepid process 4476 file.exe 4476 file.exe 4476 file.exe 4476 file.exe 920 GIECFIEGDB.exe 920 GIECFIEGDB.exe 1436 explorti.exe 1436 explorti.exe 3288 explorti.exe 3288 explorti.exe 5880 explorti.exe 5880 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4256 firefox.exe Token: SeDebugPrivilege 4256 firefox.exe Token: SeDebugPrivilege 4256 firefox.exe Token: SeDebugPrivilege 4256 firefox.exe Token: SeDebugPrivilege 4256 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
28a2604c3e.exefirefox.exepid process 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4160 28a2604c3e.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
28a2604c3e.exefirefox.exepid process 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4160 28a2604c3e.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4256 firefox.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe 4160 28a2604c3e.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
file.execmd.exe184073f30f.exefirefox.exepid process 4476 file.exe 3048 cmd.exe 4912 184073f30f.exe 4256 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.execmd.exeGIECFIEGDB.exeexplorti.exe28a2604c3e.exefirefox.exefirefox.exedescription pid process target process PID 4476 wrote to memory of 5008 4476 file.exe cmd.exe PID 4476 wrote to memory of 5008 4476 file.exe cmd.exe PID 4476 wrote to memory of 5008 4476 file.exe cmd.exe PID 4476 wrote to memory of 3048 4476 file.exe cmd.exe PID 4476 wrote to memory of 3048 4476 file.exe cmd.exe PID 4476 wrote to memory of 3048 4476 file.exe cmd.exe PID 5008 wrote to memory of 920 5008 cmd.exe GIECFIEGDB.exe PID 5008 wrote to memory of 920 5008 cmd.exe GIECFIEGDB.exe PID 5008 wrote to memory of 920 5008 cmd.exe GIECFIEGDB.exe PID 920 wrote to memory of 1436 920 GIECFIEGDB.exe explorti.exe PID 920 wrote to memory of 1436 920 GIECFIEGDB.exe explorti.exe PID 920 wrote to memory of 1436 920 GIECFIEGDB.exe explorti.exe PID 1436 wrote to memory of 4912 1436 explorti.exe 184073f30f.exe PID 1436 wrote to memory of 4912 1436 explorti.exe 184073f30f.exe PID 1436 wrote to memory of 4912 1436 explorti.exe 184073f30f.exe PID 1436 wrote to memory of 4160 1436 explorti.exe 28a2604c3e.exe PID 1436 wrote to memory of 4160 1436 explorti.exe 28a2604c3e.exe PID 1436 wrote to memory of 4160 1436 explorti.exe 28a2604c3e.exe PID 4160 wrote to memory of 3536 4160 28a2604c3e.exe firefox.exe PID 4160 wrote to memory of 3536 4160 28a2604c3e.exe firefox.exe PID 3536 wrote to memory of 4256 3536 firefox.exe firefox.exe PID 3536 wrote to memory of 4256 3536 firefox.exe firefox.exe PID 3536 wrote to memory of 4256 3536 firefox.exe firefox.exe PID 3536 wrote to memory of 4256 3536 firefox.exe firefox.exe PID 3536 wrote to memory of 4256 3536 firefox.exe firefox.exe PID 3536 wrote to memory of 4256 3536 firefox.exe firefox.exe PID 3536 wrote to memory of 4256 3536 firefox.exe firefox.exe PID 3536 wrote to memory of 4256 3536 firefox.exe firefox.exe PID 3536 wrote to memory of 4256 3536 firefox.exe firefox.exe PID 3536 wrote to memory of 4256 3536 firefox.exe firefox.exe PID 3536 wrote to memory of 4256 3536 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe PID 4256 wrote to memory of 3136 4256 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe"C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\184073f30f.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\28a2604c3e.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2f328a4-ea5f-4aed-98ad-820326900c16} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" gpu8⤵PID:3136
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14d60418-55c6-40b5-9f92-e5613b8acf00} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" socket8⤵PID:5104
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3236 -childID 1 -isForBrowser -prefsHandle 3272 -prefMapHandle 3328 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b2b40d5-4d59-4b31-b457-bcabaf1bbbb1} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" tab8⤵PID:1848
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3864 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3156 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4081d0b8-68d6-47b9-9b1e-d9300d4c371f} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" tab8⤵PID:2356
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4644 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4656 -prefMapHandle 4652 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de107624-ccd2-4890-8e68-81b0c9f1a463} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" utility8⤵
- Checks processor information in registry
PID:944 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5240 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc9f99a3-34f9-406c-8b65-b041965f93fd} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" tab8⤵PID:5672
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5640 -prefMapHandle 5636 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e03756c4-4165-4c27-a5a8-31f05a753b9b} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" tab8⤵PID:5684
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5784 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bc53733-c106-49a5-bcf0-a5a05c8f177f} 4256 "\\.\pipe\gecko-crash-server-pipe.4256" tab8⤵PID:5696
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GCAEHDBAAE.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3048
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3288
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5174f1f9a205897a3e69c59f3fc60fa94
SHA100279f2834d989e9c37bd30f0cdaa40032ac530d
SHA256d2812fb17da22bec5ec60d075e3bed69273b6323e0fc1566cd45ba38d7351b33
SHA5126d02bc665aa3190a26625171f997f655291c483c64ab4c4213ba21d02180542173acc79c042ba537d330d82673d1a8215cff17fee2eba995b142ca2321e5d122
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD57c42634590485da9651551b364d5bb79
SHA144c2e486a75c841a4f6a7d8bef535de1d9388cc4
SHA25608e10248c3869abdb319c29ff467bf5377b933d3aa3b64abe455f80eea12fc4b
SHA5120fed55003bbb4fb58559cb4b45623b6036be283e6f42d5dbd453277fafae2c1eeead841ef493a5c20259f3e9eeebf97659b1d8920cf932ea8fab830bbfe910b8
-
Filesize
2.4MB
MD508c7502b3315ce651b6b57849c1d7308
SHA125d8366a04fca7105e7c38eac267ab787456f8c3
SHA256d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4
SHA512d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d
-
Filesize
1.2MB
MD5c9d56cd0a203897f2a7e757c6f56367d
SHA1f3ce65c3ddbc08ed507de1486992ed5d4dd67b6e
SHA2567f797431b98fc646e12d1c85be00527bd78a991830dc5160188ab77854959f4d
SHA512ad06efb0e7c6fd32c4e19929dd63bf4e53562f03ab9a96b8f45a115361cacb984aa2bb0600dffd1d9f68d2a60fb781449097fe1cfe78c10b3d9a2c2f3cb2c63e
-
Filesize
1.8MB
MD5a7a231ef5b7166696111b8b2151f0b2c
SHA14ae6e23e6a4c23dc421775a7a55f2329aa975d5b
SHA256c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d
SHA51227756ffd4b67dc8034ef3d168fae3ba042da75ad7a5a530764bfd9418c8ed79f9b1edf056633e3d0d89c974a57e704a11ea923bed13e81e0beefdc43f1b7fb15
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin
Filesize8KB
MD537e16f81c9c4658866a07831374a0108
SHA10af3ff8135e7f97ce358e00d7c7d5c3894ad35f3
SHA256a02a87186f9af508979d8dec0f5f9e744361e5ec0d81ed00999d914f03ee4b83
SHA51270d1ef2e34582fdf9f500735628ef9608a34821ff8da374d68746e41b2f11f49d96161c531419b1d46e3caaed7e6a026e00b779a7fc42874fcb7ff6abaa60009
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin
Filesize12KB
MD591ba1f2a0889f088b68fb804fc14c141
SHA112cbc30e8fc903d7b1467c862616c4065d75a03c
SHA2561820a8a9f966772d6fa558e22a65727e5c97e792c3b8949610363d01f706b83c
SHA512d805a3463bd33426df60f1f79085f6f920faca5ae61928b54915c3a2d4950a2bf6cd817a5b74aea998a8d0a03d17233556f30bbefd4a5cfe976492f022e242b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD50b36d1eeba3130d4f2d65232c16a5e0c
SHA15eab06d21c804733ebb3deff9cacefd60f3a4aa0
SHA256bd4f11b723a29087ea72d488f55dd53b2a0b07c2b471655dd4d14123e11ae1d3
SHA512320d222ecde26435cc14488f0e7646e7bad82ab11cd46cd4b2fd249ea12110e31cb384d2c77aa82771e4738946313f5681acfe701cf313fca814f009f2aeea1c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5f23885bbb7bbb1b098da0adff139af8a
SHA1fc9b36798589e633419799b810d89e7f6a053e00
SHA256030ef13090444b14b8b57e406489f4a3344ae2171407f5bf0bdbd588fec60cef
SHA512dac072f1d898aca49125dabef3de5889f4f61edce8573f79e6c00554a8c5c2ab140426fb9972cbcecb01d487aff830751c1da901f6ee97fd990ebe709a921dee
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5655a6f2a48d6c325caf96f0e8db6c939
SHA192da97693078489632ca8085f61435d70abdacf6
SHA256eeea4cc24461a4edd589ed0d9f6f3d3b4a20a1c4ea5db89c4697e74bb012b39c
SHA5127297983ffc2d9271d26c974807393a3276e05f0f283a97ab2ccca1076a481107cae95405e141846829f2b60c67ab9021cfe31c7596753277dc96474fd0abfa76
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\01865d60-8ae2-421d-83ab-e5dcef4ef788
Filesize671B
MD5d177572272943e1ae6b3692a5bac72ae
SHA1f4facb958f88363f177a31208f42f1c27174a208
SHA2563782297be1b0520efcae15d14477be7d51218bd1b280f342ab5c4c063b8b996e
SHA5125c52cdcb9de0f31f27b6964c5327278488540dc1b6f6ec47d354ee1b145ff253359c8d5a43440b86f1edba90face4fe339fd110c701482ebdc48f008c659cd5c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\2875ddf2-6157-4f6a-98e5-80913a69c037
Filesize982B
MD5710fece3068d1d52cc665a86835320a2
SHA10774844d45984ff1f0c6d21b6fb9b29ba19a3094
SHA256ceb274fcedae3cc66e3aca3d4c9b42c92a12e2f323386ebb579f2053081b07a6
SHA512b80516d232c091bd7e4b1999a30b04106ea1e881c3c5ddcbe64fe4cbd84bbe0224501f030475a7c5f496c4f73cd36ff7cf253080abf345287a0e4101690ab188
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\9b778dcd-602e-4ae0-b26e-7dec69540300
Filesize27KB
MD581c2a03e7a0b66de1777c8b28e207a8e
SHA1f0b160465bb2c123b86eaeacdbc6990c5a6b7c44
SHA256d2106578f97a7a55781634df6568a5a9b283a47f00129f52e59d72341b5bbe92
SHA5121e9afcd78859658c253c71ad5eb4ca554fdc6bc8b6e57723c5c1f9e3a311123820ea9a9504c2dca740cd84d92a79fc22fd77247c89b0a29ff98941fde33924c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5e08507757a65443769f898be38a0c555
SHA13ee168903ee0d30d4072d676c12ba41963766bf0
SHA2569f99bdd88889615ce530a9ee0f075d91f2fd9aed9da4831860fabc205e7890d4
SHA512ff9195ceae53dd0dd79b51d92b5f11c44349d9367b78fecb9e0df71b0ddfa88902c46180e4873b2e932e9db85d0c6d2de9e4ca992359c4ad48a62d44d0432c05
-
Filesize
11KB
MD5304ef95e11fda9f08c2b3a7dd5afa7d6
SHA1e4c9380e678f25b0c440f23e188d36d46cb47573
SHA2564e4dfaa72822dc254424aa05b512841bf0bc30059e3da1dd1d81d8fd5dece26a
SHA5124bb17ad7fdef4a31ac4627f6f59873cb30c6e3d7cfdcf5422eb86960048f58ccb88047272c1c080c9cd06a17b3690486630ad03270acf0314a2ce5f07917d875
-
Filesize
8KB
MD5e1f94fe9b9e4022d3691a5abd30e664e
SHA146027280e80263bc5ffbde0d45bf85b4f2d3fb07
SHA256d11513c32d1e63957802b7b7a33a9bc88f93eeda3e8982e640d8380d1cd24d59
SHA5128fd13e1292b93846a44db5944b9e926de99b36282ebcc8d0891496a9c99801f8cf44c3d22195ef6ff41d3ba2dd24eb8f5077680b166198a37f5ff5c875892cc9
-
Filesize
16KB
MD5f95d6e6e3c45dc520e388f16be7b38c0
SHA1ea945aafbcecfe9e05296815dcc43ecbc800f0b9
SHA25614cc63efaa5e20b9a8afc7439884b8df1cd40384d48df2e97c1940d0f1ae94e2
SHA5123a0d2bce0150d627e23b82ef936aa0fcadab007d32dd4b9bff03d1fa37297aae655fe10e53ab3996a3511b6c621ed3ca21ddc449ddb8b80720c7a9b8c8800806
-
Filesize
8KB
MD5e3c8bc1beec433d7904e85b412d8882f
SHA1ed7f278f61db375d272f9085aac3f710b0c1f1ab
SHA2568ec342f040611708134031d1fd6975102e14743131f000d7026626fc36067fc9
SHA512e98c54c3b14a1a55425eb6ca35c6405c4833b53be51cdcf6559b42689c8e0d078d24b44b575a67c1b66f2f36a67db6a4dcfe16b68cbb50221e8c887e4e348380